Reputation: 125
AWS: Why is a public IP required for load-balancing to my private subnet EC2 instances?
I am trying to have an Internet-facing ELB load balance incoming traffic to my private subnet EC2 instances. My Load Balancing Target group reports that my EC2 instances are unhealthy even though they passed all checks on the EC2 page.
What I do not understand is that: If I do attach a Network Interface AND a public IP to my private subnet EC2 instances, then everything works. At the end of the day, my Security Groups still prevent direct external access to my instances but I do not believe public IP addresses are required because I understand load balancers to work with internal IP addresses. So what am I not understanding correctly here? Much thanks in advance.
My security/network settings are as follows:
- Route tables: /16 VPC CIDR to Local, 0.0.0.0/0 to Internet Gateway, Implicitly associated with all subnets
- NACL: (For testing purposes), Allow all to everywhere for both inbound and outbound, Associated with all subnets
- Security group of private subnet EC2 instances allow incoming traffic from Load Balancer SG only and allow all outbound traffic.
- Security group of Load Balancer allow incoming traffic from anywhere, and allow all outbound traffic.
The closest thread I could find is this:How to load balance AWS private subnet EC2 instances but I've checked through all the items without success.
Upvotes: 1
Views: 2047
Answers (1)
Reputation: 17673
What is the Private Subnet?
Ans- Private Subnet is - the subnet which does not have route to Internet Gateway.
Route to internet Gateway is the only thing which decides whether it is public subnet or private subnet.
but your subnet is having route to internet gateway, that means your subnet is public subnet and public subnet needs public IP.
In your situation your subnet is not private subnet. and also Internet facing ELB means you are looking to accept connection/request from Internet.
To make it private subnet remove route to Internet Gateway. and use NAT Gateway if you need internet to your instance , or use Bastion instance if you need to SSH your instance
Upvotes: 1
Related Questions
- Is it necessary to set public ip on ec2 instance behind internet facing ELB in AWS?
- Amazon ELB for EC2 instances in private subnet in VPC
- Why AWS ALB not provide to use static IP?
- 8 free IP addresses in the public subnet specified for AWS Elastic Load Balancer?
- Elastic Load Balancer pointing at Private Subnet
- AWS Elastic IPs instead of Public IPs?
- How to load balance AWS private subnet EC2 instances
- understanding aws ELB and private ip on eth0
- When using an internet facing ELB, do all of the instances behind the load-balancer have to have their own public IPs?
- AWS IP Addresses - Are they required if the EC2 instance is behind an ELB?