在私有子网上使用公共 ALB 和 EC2 设置 Elastic Beanstalk 下降运行状况检查 [英] Elastic Beanstalk setup with public ALB and EC2 on private subnet falling health check
问题描述
我正在尝试设置一个示例 Elastic beanstalk 应用程序,其中 ALB 位于公共子网(面向互联网)中,ec2 实例位于 terraform 的私有子网中.如果我将 ec2 实例放在 公共子网 中,则弹性 beanstalk 应用程序会成功创建,但在私有子网中会出现以下错误.
I am trying to setup a sample Elastic beanstalk app with ALB being in public subnets(internet facing) and ec2 instances in private subnets in terraform. If I put ec2 instances in public subnets then the elastic beanstalk app get created successfully but in private subnets I get the following error.
The EC2 instances failed to communicate with AWS Elastic Beanstalk, either because of configuration problems with the VPC or a failed EC2 instance. Check your VPC configuration and try launching the environment again.
aws_elastic_beanstalk_environment
aws_elastic_beanstalk_environment
setting {
namespace = "aws:ec2:vpc"
name = "Subnets"
value = join(",", module.vpc.private_subnets)
}
setting {
namespace = "aws:ec2:vpc"
name = "DBSubnets"
value = join(",", module.vpc.private_subnets)
}
setting {
namespace = "aws:ec2:vpc"
name = "ELBSubnets"
value = join(",", module.vpc.public_subnets)
}
setting {
namespace = "aws:ec2:vpc"
name = "AssociatePublicIpAddress"
value = "false"
}
module "endpoints" {
source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
vpc_id = module.vpc.vpc_id
security_group_ids = [data.aws_security_group.default.id]
endpoints = {
dynamodb = {
service = "dynamodb",
service_type = "Gateway"
route_table_ids = module.vpc.private_route_table_ids
tags = { Name = "dynamodb-vpc-endpoint" }
},
s3 = {
service = "s3",
service_type = "Gateway"
route_table_ids = module.vpc.private_route_table_ids
tags = { Name = "s3-vpc-endpoint" }
},
elasticbeanstalk-app = {
# interface endpoint
service_name = aws_vpc_endpoint_service.elasticbeanstalk.service_name
subnet_ids = module.vpc.private_subnets
tags = { Name = "elasticbeanstalk-app-vpc-endpoint" }
},
elasticbeanstalk = {
# interface endpoint
service_name = "com.amazonaws.${var.aws_region}.elasticbeanstalk"
subnet_ids = module.vpc.private_subnets
private_dns_enabled = true
tags = { Name = "elasticbeanstalk-${var.aws_region}-elasticbeanstalk-vpc-endpoint" }
}
elasticbeanstalk-hc = {
# interface endpoint
service_name = "com.amazonaws.${var.aws_region}.elasticbeanstalk-health"
subnet_ids = module.vpc.private_subnets
private_dns_enabled = true
tags = { Name = "elasticbeanstalk-${var.aws_region}-elasticbeanstalk-health-vpc-endpoint" }
},
sqs = {
# interface endpoint
service_name = "com.amazonaws.${var.aws_region}.sqs"
subnet_ids = module.vpc.private_subnets
private_dns_enabled = true
tags = { Name = "elasticbeanstalk-${var.aws_region}-sqs-vpc-endpoint" }
},
cloudformation = {
# interface endpoint
service_name = "com.amazonaws.${var.aws_region}.cloudformation"
subnet_ids = module.vpc.private_subnets
private_dns_enabled = true
tags = { Name = "elasticbeanstalk-${var.aws_region}-cloudformation-vpc-endpoint" }
},
ec2 = {
# interface endpoint
service_name = "com.amazonaws.${var.aws_region}.ec2"
subnet_ids = module.vpc.private_subnets
private_dns_enabled = true
tags = { Name = "elasticbeanstalk-${var.aws_region}-ec2-vpc-endpoint" }
},
ec2messages = {
# interface endpoint
service_name = "com.amazonaws.${var.aws_region}.ec2messages"
subnet_ids = module.vpc.private_subnets
private_dns_enabled = true
tags = { Name = "elasticbeanstalk-${var.aws_region}-ec2messages-vpc-endpoint" }
},
}
}
即使 elasticbeanstalk-app
我也有一个 vpc 端点.基于 AWS beanstalk PrivateLink 未连接 .
I have a vpc endpoint even for the elasticbeanstalk-app
.The setup based on AWS beanstalk PrivateLink not connecting .
安全组
data "aws_security_group" "default" {
name = "default"
vpc_id = module.vpc.vpc_id
}
data "aws_vpc_endpoint_service" "dynamodb" {
service = "dynamodb"
filter {
name = "service-type"
values = ["Gateway"]
}
}
data "aws_vpc_endpoint_service" "s3" {
service = "s3"
filter {
name = "service-type"
values = ["Gateway"]
}
}
推荐答案
为了能够连接到 com.amazonaws.[aws_region].elasticbeanstal
或 com 等服务端点.amazonaws.[aws_region].elasticbeanstalk-health
您需要有一个允许 HTTP/HTTPS 入站连接的安全组.
In order to be able to connect to service endpoints such as com.amazonaws.[aws_region].elasticbeanstal
or com.amazonaws.[aws_region].elasticbeanstalk-health
you need to have a security group which allows HTTP/HTTPS inbound connection.
我的假设是,从数据块引用的 aws_security_group.default
安全组是默认安全组,它不允许 HTTP/HTTPS 入站连接.
My assumption is that aws_security_group.default
security group, which is referenced from a data block, is a default security group and it does not allow HTTP/HTTPS inbound connectivity.
这篇关于在私有子网上使用公共 ALB 和 EC2 设置 Elastic Beanstalk 下降运行状况检查的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!