- Newest
- Most votes
- Most comments
Hello.
How about making the security group settings a little more loose to determine the cause?
For example, try setting the outbound rule of the security group configured in ALB to allow all traffic.
Also, if I use the EC2 inbound rule to allow connections from 0.0.0.0/0, will the health check succeed?
Is the correct EC2 security group attached?
Please check whether the launch template settings are incorrect and the wrong security group is attached.
I think you are over complicating the configuration with these outbound rules in ALB security group
Outbound rules :
Destination: auto-scaling-group-sg Port: 80 (HTTP)
Destination: auto-scaling-group-sg Port: 443 (HTTPS)
Destination: auto-scaling-group-sg Port: 8000 (Custom TCP)
As Gary pointed above, this does bind your ALB and ASG sec. groups so if you create new group for ASG, it won't work before reference from ALB group is broken. I would allow all outbound connection from ALB sec.group as these are limited by your listener configuration anyways. ALB won't connect anywhere but to backend registered to it.
Relevant content
- asked 5 months ago
- asked 3 months ago
- asked 3 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Thank you for your answer.
I may have found the source of the problem, which I find incomprehensible.
Before making the AMI image, I put a security group on my EC2 instance allowing all traffic on ports 80 and 443. In tests, everything works.
I now realize that each instance created from this AMI image is inaccessible if it has a different security group from the one used when the image was created. Even if the VPC and rules are IDENTICAL!
On the other hand, if I set the same security group as the original instance: it works.
What could be the cause of this? It looks like the instance and the AMI image are linked to the security group and not to the rules? Is this possible?
I've tried changing the security group of the original instance, still with the same rules: the site becomes inaccessible! I've never encountered this
I've never seen such a situation either.
For now, try allowing HTTP at 0.0.0.0/0 in the inbound rule of the security group set for EC2 and see if it succeeds.
AMIs are not tied to security groups. Meaning the setting is not inherited. When you spin up an instance manually or in an ASG you still need to define the security group you want to use. Remember it will not work with a different security group even if the rules are identical because your ALB security group is referencing a security group on the outbound rules which is different.