Is a NAT Gateway Required for NLB Health checks to instances in private subnets

Question

I have an internet-facing network load balancer in a public subnet and the associated target group contains instances in a private subnet. When I create my Elastic Beanstalk environment with this setup, my NLB health checks fail as it does not receive data from instances. This issue gets resolved when I add a NAT gateway to a public subnet in my VPC and route outbound traffic from my private subnet through the NAT Gateway. I thought these health checks would be handled internally but this doesn't seem to be the case, why is this so?

Answer 1

No, but yes.

A NAT Gateway is used for outbound traffic from private subnets to the Internet. It is not used by a Load Balancer, which takes traffic from the Internet, sends it to the EC2 instances and then handles return traffic (all without a NAT Gateway).

It is likely that the problem you are experiencing is due to a problem when the EC2 instances are being launched by Elastic Beanstalk. The instances are likely attempting to install/update some software from the Internet. However, if the EC2 instances are in a private subnet and there is no NAT Gateway, then those instances can't reach the Internet. This means that the web server (and possibly other software) is failing to correctly install, so the instance cannot respond successfully to Health Checks from the Load Balancer.

Your options are:

• Put the instances in a public subnet (not as great for security but, frankly, a correctly configured Security Group can keep them acceptably safe), or
• Use a NAT Gateway to allow the instances to download the necessary software, or
• Have the instances boot from an AMI that already has the software installed