By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Do Elastic Beanstalk Web Server Environment Need A Public Elastic IP

1

I am very new to AWS so I appreciate any help in advance but was wondering if its required for a Elastic Beanstalk Environment to have a public ip / elastic ip address? I have a loadbalancer that is set up to point to that elastic beanstalk instance but whenever I remove the elastic ip (I'm messing around seeing what does what) it starts to fail the health checks. It will even fail if a specify IP address type target group and provide the private IP address. The security groups look alright and allow traffic from the LB sec group to the instance sec group over the health check port.

So I'm curious if you have to have your elastic beanstalk ec2 instance exposed with a public IP for the load balancer to register it or is there a way to keep all of that behind the curtain and just have the LB communicate with the instance via the instances private ip address?

Topics
Compute
Tags
AWS Elastic BeanstalkApplication Load Balancer
Language
English
Bansheebomb
asked 3 years ago2.5K views
1 Answer
0

Hello Bansheebomb, to answer your question about whether Elastic Beanstalk environments require a public IP or Elastic IP address:

Public IP requirement: Elastic Beanstalk environments do not inherently require a public IP or Elastic IP address. It's possible to run Elastic Beanstalk environments in private subnets without public IPs.

Load Balancer communication: A load balancer can communicate with EC2 instances using their private IP addresses, even if the instances don't have public IPs. This is a common and secure setup.

Health check failures: The health check failures you're experiencing when removing the Elastic IP are likely due to misconfiguration rather than a requirement for public IPs. Here are some possible reasons:

a. Security Group configuration: Ensure that the security group attached to your EC2 instances allows inbound traffic from the load balancer's security group on the health check port.

b. Routing: Check that the route tables for the subnets where your EC2 instances are located have the correct routes to allow traffic from the load balancer.

c. Target Group configuration: Make sure your target group is configured to use the correct port and protocol for health checks, and that it's set to use private IP addresses for targets.

Best practices: It's actually a security best practice to keep your application servers (EC2 instances) in private subnets and only expose them through a load balancer in a public subnet. This setup provides an additional layer of security.

To resolve your issue and set up a more secure architecture:

  1. Place your Elastic Beanstalk EC2 instances in private subnets.
  2. Configure your load balancer to be in public subnets.
  3. Update the target group to use private IP addresses of the EC2 instances.
  4. Ensure the security groups are correctly configured to allow traffic from the load balancer to the EC2 instances on the necessary ports.
  5. Verify that the route tables for the private subnets have the correct routes to allow traffic from the load balancer.

If you're still experiencing issues after making these changes, we would need more specific information about your VPC setup, security groups, and load balancer configuration to provide more targeted assistance.

Remember, for security reasons, it's generally better to keep your application instances private and only expose them through a load balancer. This approach reduces the attack surface of your application.

Best of luck and thank you for using AWS!

Brian

profile pictureAWS
BrianDAnderson_AWS
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content