由于安全组不正确,ECS 实例的 AWS 应用程序负载均衡器运行状况检查失败 [英] AWS application load balancer health check is failing with ECS instance due to incorrect Security Group
问题描述
我正在运行带有 ECS 服务的 ECS 集群以在其中运行容器.我还使用了指向此 ECS 实例的 AWS 应用程序负载均衡器.容器每次都因为健康检查而停止,退出代码为 143.
I'm running an ECS cluster with ECS service to run a container in it. I'm also using an AWS application load balancer that points to this ECS instance. The container getting stopped every time because of health check with failure with exit code 143.
Task failed ELB health checks in (target-group arn:aws:elasticloadbalancing:us-east-1:426955121075:targetgroup/cs1-TargetG-UG5G7MZZLBOA/246895af7886b697)
我调试了很多,发现应用负载均衡器 (ALB) 无法访问我的 ECS 实例,因为 ECS 实例附加的分配的安全组规则存在问题.
I debugged a lot found that that Application Load Balancer (ALB) could not reach to my ECS instance due to issue with the assigned Security Group rules attached with the ECS instance.
在我的安全组中,我允许 HTTP 80、SSH 22 等.现在的问题是,如果我将入口/入站规则更改为所有流量",源为任何地方",则 ALB 通过运行状况检查并且容器处于健康状态,但是如果我使用 HTTP 或 HTTPS 或 SSH 保留它,那么健康检查再次失败,这将重新启动我的容器.
In my security group, I was allowing the HTTP 80, SSH 22, etc. Now the problem is if I change the ingress/inbound rule to 'All Traffic' with source as 'Anywhere' then the ALB passes the health check and container comes in healthy state however if I keep it with HTTP or HTTPS or SSH then again the health check fails which restarts my container.
我可以知道我应该允许在我的安全组中的 ALB 和 ECS 实例之间有什么样的流量(所有流量除外)才能使其工作?
May I know what kind of traffic should I allow between ALB and ECS Instance (other than All Traffic) in my Security Group to make it work?
推荐答案
既然允许所有流量不是好习惯,从安全角度来看也是如此.所以不是所有流量参考安全组.
Since allowing all traffic is not good practice, also from a security point of view too. so instead of all traffic reference security group.
首先,您的负载均衡器应该有一个单独的安全组,允许来自任何地方的流量.(入站规则).Ecs 安全组应与负载均衡器分开,入站规则应仅允许来自应用程序负载均衡器安全组的流量.这称为安全组引用.
first of all your load balancer should have a separate security group which allows traffic from anywhere.( inbound rule). Ecs security group should be separate from load balancer and inbound rule should allow traffic only from application load balancer security group. this is called as security group referencing.
这篇关于由于安全组不正确,ECS 实例的 AWS 应用程序负载均衡器运行状况检查失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
