在私有子网上使用公共 ALB 和 EC2 设置 Elastic Beanstalk 下降运行状况检查 [英] Elastic Beanstalk setup with public ALB and EC2 on private subnet falling health check

查看:15
本文介绍了在私有子网上使用公共 ALB 和 EC2 设置 Elastic Beanstalk 下降运行状况检查的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试设置一个示例 Elastic beanstalk 应用程序,其中 ALB 位于公共子网(面向互联网)中,ec2 实例位于 terraform 的私有子网中.如果我将 ec2 实例放在 公共子网 中,则弹性 beanstalk 应用程序会成功创建,但在私有子网中会出现以下错误.

I am trying to setup a sample Elastic beanstalk app with ALB being in public subnets(internet facing) and ec2 instances in private subnets in terraform. If I put ec2 instances in public subnets then the elastic beanstalk app get created successfully but in private subnets I get the following error.

The EC2 instances failed to communicate with AWS Elastic Beanstalk, either because of configuration problems with the VPC or a failed EC2 instance. Check your VPC configuration and try launching the environment again.

aws_elastic_beanstalk_environment

aws_elastic_beanstalk_environment

setting {
    namespace = "aws:ec2:vpc"
    name      = "Subnets"
    value     = join(",", module.vpc.private_subnets) 
  }

  setting {
    namespace = "aws:ec2:vpc"
    name      = "DBSubnets"
    value     = join(",", module.vpc.private_subnets)
  }

  setting {
    namespace = "aws:ec2:vpc"
    name      = "ELBSubnets"
    value     = join(",", module.vpc.public_subnets)
  }


  setting {
    namespace = "aws:ec2:vpc"
    name      = "AssociatePublicIpAddress"
    value     =  "false"
  }

我还按照 https 中的描述设置了 vpc 端点://aws.amazon.com/premiumsupport/knowledge-center/elastic-beanstalk-instance-failure/

module "endpoints" {
  source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"

  vpc_id = module.vpc.vpc_id
  security_group_ids = [data.aws_security_group.default.id]

  endpoints = {
    dynamodb = {
      service      = "dynamodb",
      service_type = "Gateway"
      route_table_ids = module.vpc.private_route_table_ids
      tags            = { Name = "dynamodb-vpc-endpoint" }
    },
    s3 = {
      service      = "s3",
      service_type = "Gateway"
      route_table_ids = module.vpc.private_route_table_ids
      tags            = { Name = "s3-vpc-endpoint" }
    },
    elasticbeanstalk-app = {
      # interface endpoint
      service_name             = aws_vpc_endpoint_service.elasticbeanstalk.service_name
      subnet_ids = module.vpc.private_subnets
      tags                = { Name = "elasticbeanstalk-app-vpc-endpoint" }
    },
    elasticbeanstalk = {
      # interface endpoint
      service_name             = "com.amazonaws.${var.aws_region}.elasticbeanstalk"
      subnet_ids = module.vpc.private_subnets
      private_dns_enabled = true
      tags                = { Name = "elasticbeanstalk-${var.aws_region}-elasticbeanstalk-vpc-endpoint" }
    }
    elasticbeanstalk-hc = {
      # interface endpoint
      service_name             = "com.amazonaws.${var.aws_region}.elasticbeanstalk-health"
      subnet_ids = module.vpc.private_subnets
      private_dns_enabled = true
      tags                = { Name = "elasticbeanstalk-${var.aws_region}-elasticbeanstalk-health-vpc-endpoint" }
    },
    sqs = {
      # interface endpoint
      service_name             = "com.amazonaws.${var.aws_region}.sqs"
      subnet_ids = module.vpc.private_subnets
      private_dns_enabled = true
      tags                = { Name = "elasticbeanstalk-${var.aws_region}-sqs-vpc-endpoint" }
    },
    cloudformation = {
      # interface endpoint
      service_name             = "com.amazonaws.${var.aws_region}.cloudformation"
      subnet_ids = module.vpc.private_subnets
      private_dns_enabled = true
      tags                = { Name = "elasticbeanstalk-${var.aws_region}-cloudformation-vpc-endpoint" }
    },
    ec2 = {
      # interface endpoint
      service_name             = "com.amazonaws.${var.aws_region}.ec2"
      subnet_ids = module.vpc.private_subnets
      private_dns_enabled = true
      tags                = { Name = "elasticbeanstalk-${var.aws_region}-ec2-vpc-endpoint" }
    },
    ec2messages = {
      # interface endpoint
      service_name             = "com.amazonaws.${var.aws_region}.ec2messages"
      subnet_ids = module.vpc.private_subnets
      private_dns_enabled = true
      tags                = { Name = "elasticbeanstalk-${var.aws_region}-ec2messages-vpc-endpoint" }
    },
  }
}

即使 elasticbeanstalk-app 我也有一个 vpc 端点.基于 AWS beanstalk PrivateLink 未连接 .

I have a vpc endpoint even for the elasticbeanstalk-app .The setup based on AWS beanstalk PrivateLink not connecting .

安全组

data "aws_security_group" "default" {
  name   = "default"
  vpc_id = module.vpc.vpc_id
}

data "aws_vpc_endpoint_service" "dynamodb" {
  service = "dynamodb"

  filter {
    name   = "service-type"
    values = ["Gateway"]
  }
}

data "aws_vpc_endpoint_service" "s3" {
  service = "s3"

  filter {
    name   = "service-type"
    values = ["Gateway"]
  }
}

推荐答案

为了能够连接到 com.amazonaws.[aws_region].elasticbeanstalcom 等服务端点.amazonaws.[aws_region].elasticbeanstalk-health 您需要有一个允许 HTTP/HTTPS 入站连接的安全组.

In order to be able to connect to service endpoints such as com.amazonaws.[aws_region].elasticbeanstal or com.amazonaws.[aws_region].elasticbeanstalk-health you need to have a security group which allows HTTP/HTTPS inbound connection.

我的假设是,从数据块引用的 aws_security_group.default 安全组是默认安全组,它不允许 HTTP/HTTPS 入站连接.

My assumption is that aws_security_group.default security group, which is referenced from a data block, is a default security group and it does not allow HTTP/HTTPS inbound connectivity.

这篇关于在私有子网上使用公共 ALB 和 EC2 设置 Elastic Beanstalk 下降运行状况检查的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆