无法连接到面向Internet的NLB，将流量转发到私有实例 [英] Cannot connect to internet-facing NLB forwarding traffic to a private instance

问题描述

我已经按照以下配置配置了云

I have configured a cloud with following configuration

1. VPC在两个可用区中具有公共子网和私有子网。公共子网有一个Internet网关，私有子网有一个NAT网关配置


2. 面向互联网的网络负载均衡器，允许在两个可用区域中配置TCP流量


3. 用于转发来自负载平衡器的流量的目标组


4. 专用子网中的EC2实例配置了在端口80上进行haproxy侦听的功能。它的安全组被配置为在端口80上接受来自两个端口的TCP流量配置了NLB的子网


5. 将此实例添加到目标组中，状态为 healthy

1. VPC with a public and private subnet in two availability zones. Public subnet has an internet gateway and private subnet has a NAT gateway configured
2. An internet-facing Network Load Balancer allowing TCP traffic configured in both availability zones
3. A target group to forward traffic from the load balancer
4. An EC2 instance in private subnet configured with haproxy listening at port 80. It's security group is configured to accept TCP traffic at port 80 from both the subnets in which NLB is configured
5. Added this instance to the target group, the status is healthy

当我尝试访问NLB DNS时，出现了连接超时 错误。我期望当我访问NLB DNS时，应该将我转发到私有实例。我已经检查了许多AWS文档，例如链接，但仍然找不到解决此问题的方法。如果这还不够，请随时询问更多信息。

When I try to hit the NLB DNS it is giving me 'Connection timed-out' error. I am expecting that when I hit NLB DNS it should forward me to the private instance. I have checked many AWS documents such as this link but still cannot find the resolution to this issue. Please feel free to ask for more information if this is not sufficient.

推荐答案

安全组配置为在配置了NLB的两个子网的端口80上接受TCP流量

通过instance-id注册后，面向Internet的NLB后面的实例的安全组需要允许流量为0.0.0.0/0或任何需要通过平衡器访问的公共IP地址范围，而不仅限于子网

When targets are registered by instance-id, the security group for instances behind an Internet-facing NLB need to allow traffic from 0.0.0.0/0 -- or whatever range of public IP addresses need to access them through the balancer -- not just the subnets of the balancer (which are needed for health-checks).

如果目标类型是实例，则将规则添加到安全组中允许从负载平衡器和客户端到目标IP的流量。

If your target type is an instance, add a rule to your security group to allow traffic from your load balancer and clients to the target IP.

> https://aws.amazon.com/premiumsupport/knowledge-center/security-group-loa d-balancer /

与ALB和Classic平衡器不同，NLB流量在目标为目标时具有外部客户端的源地址由instance-id配置，这是安全组要匹配的地址。

Unlike ALB and Classic balancers, NLB traffic has the source address of the external client when the targets are configured by instance-id, and this is the address the security group is matching against.

这篇关于无法连接到面向Internet的NLB，将流量转发到私有实例的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！