By using AWS re:Post, you agree to the Terms of Use
/EC2 instances unhealthy when created via ASG using cdk./

EC2 instances unhealthy when created via ASG using cdk.


I am creating an ASG which will have a classical load balancer . The desired number of instances is 5 , I am starting the asg creation using a userdata but even after experimenting multiple times the load balancer shows unhealthy hosts,i changed the subnet type of the vpc as public but the number of healthy host for the elb remains 0 . Below is the code segment

 Vpc vpc=new Vpc(this,"MyVPC");
        AutoScalingGroup asg = AutoScalingGroup.Builder.create(this,"AutoScalingGroup").vpcSubnets(SubnetSelection.builder()
                        .build()).vpc(vpc).instanceType(InstanceType.of(InstanceClass.BURSTABLE2, InstanceSize.MICRO))
                .machineImage(new AmazonLinuxImage()).minCapacity(1).desiredCapacity(5).maxCapacity(10).build();
        asg.addUserData("#!/bin/bash\n" +
                "# Use this for your user data (script from top to bottom)\n" +
                "# install httpd (Linux 2 version)\n" +
                "yum update -y\n" +
                "yum install -y httpd\n" +
                "systemctl start httpd\n" +
                "systemctl enable httpd\n" +
                "echo \"<h1>Hello World from $(hostname -f)</h1>\" > /var/www/html/index.html");
        LoadBalancer loadbalancer=LoadBalancer.Builder.create(this,"ElasticLoadBalancer").vpc(vpc).internetFacing(Boolean.TRUE).healthCheck(
        ListenerPort listenerPort = loadbalancer.addListener(LoadBalancerListener.builder().externalPort(80).build());

Also the instances those are created by default via ASG cannot be accessed on the web(by hitting their public IP) even after changing the security groups or making them all in a public subnet they are not accessible from instance connect,neither the load balancer shows these hosts healthy

1 Answers

It sounds like you probably have some sort of connectivity issue. Make sure all of these are correct

  • Security group on ELB is allowing inbound traffic from your clients and oubound traffic to the ASG instances
  • Security Group on the ASG instances is allowing inbound traffic on port 80 from the ELB
  • NACLs (Network ACLs) for the ELB subnets are allowing traffic to flow both to/from clients as well as to/from the ASG instances
  • The ELB is set to public if your clients are coming in over the Internet; private if they're in the VPC or over Peering/VPN/etc
  • The ELB subnets have a route table allowing the clients to connect to them

Some tests you can do to narrow down the issue

  • From an instance in the same subnet with the same security group as the ELB, try to curl one of the non-working instances directly. If this can connect then you know the security groups on both are working correctly. If it times out there may be a security group or firewall issue. If it gets 'connection refused' then the webserver isn't running/listening correctly
  • Try the same thing from an instance in the ELB's subnet. This will test if the NACLs are working correctly
answered 14 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions