[ACCEPTED]-Amazon ELB in VPC-amazon-vpc

Accepted answer
Score: 196

My teammate and I just have implemented 28 ELB in a VPC with 2 private subnets in different 27 availability zones. The reason you get timeouts 26 is that for each subnet you add to the load 25 balancer, it gets one external IP address. (try 24 'dig elb-dns-name-here' and you will see 23 several IP addresses). If one of these IP 22 address maps a private subnet, it will timeout. The 21 IP that maps into your public subnet will 20 work. Because DNS may give you any one of 19 the IP addresses, sometimes it works, sometimes 18 it times out.

After some back and forth 17 with amazon, we discovered that the ELB 16 should only be placed in 'public' subnets, that 15 is subnets that have a route out to the 14 Internet Gateway. We wanted to keep our 13 web servers in our private subnets but allow 12 the ELB to talk to them. To solve this, we 11 had to ensure that we had a corresponding 10 public subnet for each availability zone 9 in which we had private subnets. We then 8 added to the ELB, the public subnets for 7 each availability zone.

At first, this didn't 6 seem to work, but after trying everything, we 5 recreated the ELB and everything worked 4 as it should. I think this is a bug, or 3 the ELB was just in an odd state from so 2 many changes.

Here is more or less what 1 we did:

  1. WebServer-1 is running in PrivateSubnet-1 in availability zone us-east-1b with security group called web-server.
  2. WebServer-2 is running in PrivateSubnet-2 in availability zone us-east-1c with security group called web-server.
  3. Created a public subnet in zone us-east-1b, we'll call it PublicSubnet-1. We ensured that we associated the routing table that includes the route to the Internet Gateway (ig-xxxxx) with this new subnet. (If you used the wizard to create a public/private VPC, this route already exists.)
  4. Created a public subnet in zone us-east-1c, we'll call it PublicSubnet-2. We ensured that we associated the routing table that includes the route to the Internet Gateway (ig-xxxxx) with this new subnet. (If you used the wizard to create a public/private VPC, this route already exists.)
  5. Created a new ELB, adding to it PublicSubnet-1 and PublicSubnet-2 (not the PrivateSubnet-X). Also, picked the instances to run in the ELB, in this case WebServer-1 and WebServer-2. Made sure to assign a security group that allows incoming port 80 and 443. Lets call this group elb-group.
  6. In the web-server group, allow traffic from port 80 and 443 from the elb-group.

I hope that helps!

Score: 18

The key here is understanding, that you 17 are not "Adding subnets/availability zones" to 16 ELB, but rather specifying what subnets 15 to put ELB instances into.

Yes, ELB is a 14 software load balancer and when you create 13 ELB object, a custom loadbalancing EC2 instance 12 is put into the all subnets that you specified. So 11 for the ELB (its instances) to be accessible, they 10 have to be put into the subnets that have 9 default route configured via IGW (most likely 8 you classified these subnets as public).

So 7 as already was answered above, you have 6 to specify "public" networks for ELB, and 5 those networks should be from the AZs where 4 your EC2 instances are running. In this 3 case ELB instances will be able to reach 2 your EC2 instances (as long as security 1 groups are configured correctly)

Score: 5

We've implemented ELB in a private subnet 13 so the statement that all ELB's need to 12 be public isn't completely true. You do 11 need a NAT. Create a private subnet for 10 the private ELB's, turn on VPC DNS and then 9 make sure the private routing table is configured 8 to go through the NAT. The subnet security 7 groups also need to be setup to allow traffic 6 between ELB and App, and App to DB subnets.

Beanstalk 5 health checks won't work as they can't reach 4 the load balancer, but for services that 3 need to be outside of the public reach this 2 is a good compromise.

Suggested reading to 1 get your VPC architecture started: http://blog.controlgroup.com/2013/10/14/guided-creation-of-cloudformation-templates-for-vpc/.

Score: 2

You must add the following settings.

  1. Public subnet zone b = Server NAT
  2. Private subnet zone c = Server Web
  3. Public subnet zone c = ELB

The 3 trick is routing:

  1. The router to NAT is attach with gateway A.
  2. The router to Server Web is attach to NAT.
  3. The router to Public subnet is attach with gateway A.

ELB details:

1.Zone: Public 2 subnet zone c 2.Instance: Server Web 3.Security 1 Groups: enable ports


More Related questions