- Más nuevo
- Más votos
- Más comentarios
Why not add another rule to the ALB listener to accept and route the IP addresses of the private subnets where the instances reside?
I think you are going to need two ALBs, one Internet-facing and one Internal. Both have target groups that contain the same instance/containers. Similar to this architecture, How to use Multiple load balancer Target Group Support for Amazon ECS to access internal and external service endpoint using the same DNS name.
One way is to use a VPC Endpoint to provide private connectivity between instances. A VPC Endpoint allows instances within a VPC to securely access AWS services such as S3 or DynamoDB without going over the internet. You can create a VPC Endpoint for the target service(s) that your instances need to communicate with (e.g. EC2, ALB) and configure your instances to use the VPC Endpoint as their default route. This will ensure that all traffic to the target service(s) stays within the VPC and does not incur NAT Gateway charges.
You can create a VPC Endpoint for the target service(s) that your instances need to communicate with (e.g. EC2, ALB)
I have tried to create "ec2" or "elasticloadbalancing" (or both), but no positive result, Instances still can not access each other (was checked by "curl https://app2.mydomain.com" from app1 instance).
and configure your instances to use the VPC Endpoint as their default route
Could you give a bit more description what does it mean? How should I configure our instances for this route?
Contenido relevante
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 2 años
I have already checked this case. Now ALB rules has the next conditions to forward traffic: Host header = app2.mydomain.com Source IP = 54.54.54.54 (NATGW IP address), 172.31.0.0/16 (this is VPC CIDR) 10.10.0.0/24 (VPN network just in case) The same rule for app1.
I successfully can reach app1 and app2 separately from my PC when VPN is established, but still can not access app1-app2 (or app2-app1)
When the internal instances try to hit the ALB, are they using the internal IP or the public IP of the ALB?
I guess this is the public IP of the ALB, cause ALB is internet-facing and its DNS resolved as public addresses like (name and addresses a little distorted for showing):
It is resolved by record in private DNS zone of Route53 as internal resource of VPC. BTW, in ALB logs I can observe string like that (when I am trying to curl app1-app2):
h2 <...> app/alb--development/f6cfe6bba2fb636e 54.201.155.68:45042 - -1 -1 -1 404 - 31 84 "GET https://app1.mydomain.com:443/ HTTP/2.0" "curl/7.81.0" ECDHE-RSA-AES <...> "fixed-response" "-" "-" "-" "-" "-" "-"
And this address 54.201.155.68 looks like outgoing of Internet gateway, right? Seems request anyway goes outside of VPC and hit ALB