Hello Community, I am registering the IPs of Privatelink Endpoint as target for Network Load Balancer. The security group for Privatelink Endpoint has ingress rule to accept traffic from the VPC CIDR.
Reachability analyzer shows that NLB network interface can reach Privatelink. But, when I register the IPs of Privatelink Endpoint (obtained from Endpoint console, selecting the correct Endpoint, IPs from Subnets in pane below) in a Target Group for the Network Load Balancer, the health status shows as unhealthy.
Has anyone encountered such an issue before or has any guidance for me?
Adding details
In Account A
NLB --> Privatelink Endpoint
In Account B
Privatelink Endpoint Service --> NLB --> EC2 Instance running httpd service
In Account A, under Privatelink Endpoint I see Status Available under Details
In Account A, this is the Security Group associated with the Privatelink Endpoint
In Account A, health check for IP target group is setup like
In Account B, under Endpoint services I see Endpoint connections
Using the load balancer in account B, I can query the httpd service running on EC2 instance in same account (account B)
h-5.2$ curl -v my-nlb-vpce-9fd09754b3184e1d.elb.REGION.amazonaws.com
* Trying 192.168.172.46:80...
* Connected to my-nlb-vpce-9fd09754b3184e1d.elb.REGION.amazonaws.com (192.168.172.46) port 80 (#0)
> GET / HTTP/1.1
> Host: my-nlb-vpce-9fd09754b3184e1d.elb.REGION.amazonaws.com
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 05 Jul 2023 08:36:14 GMT
< Server: Apache/2.4.56 (Amazon Linux)
< Last-Modified: Tue, 04 Jul 2023 22:47:22 GMT
< ETag: "30-5ffb110f96f98"
< Accept-Ranges: bytes
< Content-Length: 48
< Content-Type: text/html; charset=UTF-8
<
<html><body>My first EC2 instance</body></html>
* Connection #0 to host my-nlb-vpce-9fd09754b3184e1d.elb.REGION.amazonaws.com left intact
sh-5.2$
I created an NLB targeting the same PrivateLink IP address in my environment. The conclusion is HEALTHY as follows.
Health checks are set up as follows.
If PrivateLink is available, can you share the security group settings?
Interesting, I am going to recheck my setup, maybe an oversight on my part, I will get back to you with my findings but thanks for confirming that it can be done
I have updated my question with few details, the Security Group has 3 ingress rules which will make you wonder but that's just part of troubleshooting