My ALB target group shows my private EC2 as unhealthy, even though the app runs fine via SSH. Accessing it through the ALB DNS fails. What could be causing the health checks to fail?

Question

I’m currently working on a project to secure an application on AWS, but i've been stuck on something for a whole and could use some guidance.
Here’s what I’ve done so far:
Created an EC2 instance in a private subnet.Created an Application Load Balancer (ALB).Updated the security group of the EC2 instance to allow traffic from the ALB.Launched a bastion host in a public subnet.I’m able to SSH into the private EC2 instance via the bastion host without any issues. Once inside the bastion host, I can SSH into the private EC2 instance using its private IP. I’ve installed the application on the private EC2 and started the server successfully.
However, when I try to access the application using the DNS name of the ALB, the connection fails.
Do you have any idea what might be causing this? One thing I do know is that the target group attached to my load balancer is unhealthy and im trying to figure out why .

re:Post Agent · Answer

When your ALB target group shows your private EC2 instance as unhealthy despite the application running fine via SSH, there are several potential causes for the health check failures:

1. **Health Check Configuration Issues**:
- The health check path might not be valid or might not return the expected HTTP status code
- The ALB expects a 200 status code by default, but your application might be returning a different code (like 302 redirect)
- You may need to modify the acceptable status codes in your target group health check settings

2. **Network Configuration Problems**:
- Ensure your VPC networking is correctly set up with proper routing between the public subnet (where the ALB is) and the private subnet (where your EC2 instance is)
- Check that the security groups allow traffic on the application port (likely 80 or 443) from the ALB's security group to your EC2 instance

3. **Application Configuration**:
- Verify your application is listening on the correct port and interface (0.0.0.0 to listen on all interfaces, not just localhost)
- Ensure the application is configured to respond to the health check path

4. **Specific Health Check Failure Reasons**:
- Check the reason code for the unhealthy status in the target group details:
- "Target.ResponseCodeMismatch" indicates the health checks didn't return an expected HTTP code
- "Target.Timeout" means health check requests timed out
- "Target.FailedHealthChecks" could indicate connection issues or malformed responses
- "Elb.InternalError" points to an internal ALB error

5. **Security and Capacity Issues**:
- Verify the EC2 instance has sufficient capacity to accept connections
- Double-check both inbound and outbound rules in your security groups

To troubleshoot further, you could:
- Review the target group health check settings
- Check application logs on your EC2 instance for health check requests
- Temporarily modify security groups to allow broader access for testing
- Consider using TCP health checks instead of HTTP if protocol specifics are causing issues  
**Sources**  
[Check the health of your Application Load Balancer targets - ELB](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/check-target-health.html)  
[Troubleshoot your Network Load Balancer - Elastic Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-troubleshooting.html)  
[ELB Target group is not able to make the private subnet EC2 as healthy | AWS re:Post](https://repost.aws/questions/QU9DQez3mpQzK9WMpfDlLWLw/elb-target-group-is-not-able-to-make-the-private-subnet-ec2-as-healthy)

My ALB target group shows my private EC2 as unhealthy, even though the app runs fine via SSH. Accessing it through the ALB DNS fails. What could be causing the health checks to fail?

Add your answer

Relevant content