Forward Load Balancer from port 443 to EC2 instance port 80 doesn't work

0

My Load Balancer is setup with a listener on port 443 using an Aws certificate. I also added type A record in route 53 to point to the load balancer. My Load balancer point to a target group with port 80 that contains my Ec2 instance. What am I doing wrong?

asked a year ago1711 views
1 Answer
2
Accepted Answer

Need more information, what's the error you're getting?

Assuming the loadbalancer is in an internet-facing subnet, and thus already has an internet gateway and routing table setup, the load-balancer will need a security group that allows ingress on 443/tcp from wherever you're trying to connect from (set it to 0.0.0.0/0 while you're troubleshooting), and egress on 80/tcp to the IP of the EC2 (or to the subnet that it's in).

The EC2 needs a security group with ingress on 80/tcp from the IPs of the load balancer (or the subnet that the loadbalancer's endpoints are in).

I know this question isn't about loadbalancer stickiness per se, but the diagrams in https://docs.aws.amazon.com/prescriptive-guidance/latest/load-balancer-stickiness/subnets-routing.html are really good at illustrating the data flows and routing that are at play here.

If this all looks right then is the loadblancer's healthcheck of the target group coming up green? https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-health-checks.html https://www.youtube.com/watch?v=rSoj7PEvWFY

profile picture
EXPERT
Steve_M
answered a year ago
profile picture
EXPERT
reviewed 23 days ago
profile picture
EXPERT
reviewed 2 months ago
  • Thanks for your answer. The message I get is "504 Gateway Time-out". I think I do have everything like you suggested except allowing EC2 access from loadbalancer on port 80. If I open the port 80 for all access then I'm able to get a response from load balancer. But I don't want port 80 to be open for everyone, just for load balancer. How do I get the load balancer IP address?

  • To find the loadbalancer's IP follow this guide https://repost.aws/knowledge-center/elb-find-load-balancer-ip

    If you limit the EC2 instance's security group rule to just the loadbalancer's current IPs, it means if the IPs change (e.g. the loadbalancer is reprovisioned) then the EC2 will be cut off again. Consider the source being the subnets that the loadbalancer's private IPs are in.

    Smarter still would be for the inbound rule in the EC2's security group to reference the security group that is associated with the loadbalancer https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html#security-group-referencing

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions