By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Unreachable Application Load Balancer

0

Hi there,

I'm new to AWS ALB and have been trying for a few days to find what is wrong with my setup:

  • I have two instances in two AZs. These instances can be accessed correctly using HTTP and SSH through their public IP addresses. The security groups associated with the instances allow all traffic from any source. The subnets they are associated to include a route to the VPC IGW. Network ACLs associated with these subnets allow all traffic.
  • These instances are referenced in a target group and show up as healthy. I can see the healthchecks traffic on the instances.
  • The load balancer is set up with a listener for HTTP and forwards everything to the target group. The load balancer is associated with the two subnets the instances are located in. The security group associated with the load balancer allows all traffic. The load balancer shows up as Active. The monitoring doesn't show anything.

I have been trying to connect to the load balancer name from several locations, the DNS resolution works but the connection fails. I can see TCP SYN packets leaving to the load balancer addresses but no reply. Ping does not get any reply either but I guess this is normal. Traceroute goes all the way to AWS network. For testing I have also set up another listener that should just send back a static response without communicating with the instances. I don't receive any response from this second listener either. I've followed the LB trouble shooting instructions (https://repost.aws/knowledge-center/elb-troubleshoot-connection-errors) without success. Is there anything that I am missing ? Any test that I could do to identify the source of the problem ?

Thanks !

Paul

3 Answers
1
Accepted Answer

Problem solved: It was just a wrong security group associated with the load balancer. To find that the VPC flow logs were very helpful.

answered 2 years ago
  • I have exactly the same issue. The security group associated with the load balancer is the "default VPC security group", which have very permissive settings allowing all traffic on all ports. In what way was your security group wrong? I would be very grateful to hear more how you solved it. Thanks!

0

Thanks for the answer. The ALB is Internet Facing. Where is the ALB located in the VPC ? Is it between the IGW and the subnets ? Is there a way to capture flows before they reach the ALB in the VPC ?

answered 2 years ago
  • ALB is between the Internet Gateway and the subnet.
    What is the HTTP status code when accessing ALB?
    504(Gateway Timeout)?

0

Are you creating ALB for internal use?
If accessed from the outside, it must be created with Internet Facing.

profile picture
EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions