Register Privatelink Endpoint IPs as Target for Network Load Balancer
Hello Community, I am registering the IPs of Privatelink Endpoint as target for Network Load Balancer. The security group for Privatelink Endpoint has ingress rule to accept traffic from the VPC CIDR.
Reachability analyzer shows that NLB network interface can reach Privatelink. But, when I register the IPs of Privatelink Endpoint (obtained from Endpoint console, selecting the correct Endpoint, IPs from Subnets in pane below) in a Target Group for the Network Load Balancer, the health status shows as unhealthy.
Has anyone encountered such an issue before or has any guidance for me?
Adding details
In Account A NLB --> Privatelink Endpoint
In Account B Privatelink Endpoint Service --> NLB --> EC2 Instance running httpd service
In Account A, under Privatelink Endpoint I see Status Available under Details
In Account A, this is the Security Group associated with the Privatelink Endpoint
In Account A, health check for IP target group is setup like
In Account B, under Endpoint services I see Endpoint connections
Using the load balancer in account B, I can query the httpd service running on EC2 instance in same account (account B)
h-5.2$ curl -v my-nlb-vpce-9fd09754b3184e1d.elb.REGION.amazonaws.com
* Trying 192.168.172.46:80...
* Connected to my-nlb-vpce-9fd09754b3184e1d.elb.REGION.amazonaws.com (192.168.172.46) port 80 (#0)
> GET / HTTP/1.1
> Host: my-nlb-vpce-9fd09754b3184e1d.elb.REGION.amazonaws.com
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 05 Jul 2023 08:36:14 GMT
< Server: Apache/2.4.56 (Amazon Linux)
< Last-Modified: Tue, 04 Jul 2023 22:47:22 GMT
< ETag: "30-5ffb110f96f98"
< Accept-Ranges: bytes
< Content-Length: 48
< Content-Type: text/html; charset=UTF-8
<
<html><body>My first EC2 instance</body></html>
* Connection #0 to host my-nlb-vpce-9fd09754b3184e1d.elb.REGION.amazonaws.com left intact
sh-5.2$
- Newest
- Most votes
- Most comments
I have never configured PrivateLink as a target for NLB, is the health check setting the correct setting?
For example, is the port number correct?
Can PrivateLink be used without going through NLB in the first place?
Are you using endpoint services? Wondering if this relates to it: https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html
thanks for sharing the link, I will read it shortly
Availability Zone names in a customer account might not map to the same locations as Availability Zone names in another account. For example, the Availability Zone US-EAST-1A might not be the same Availability Zone as US- EAST-1A for another account. An endpoint service gets configured in Availability Zones according to their mapping in a customer’s account.
https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/deploying-aws-privatelink.html
Relevant content
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
- How do I delete my Network Load Balancer that's associated with VPC endpoint services (PrivateLink)?AWS OFFICIALUpdated 2 years ago
I created an NLB targeting the same PrivateLink IP address in my environment. The conclusion is HEALTHY as follows.
Health checks are set up as follows.
If PrivateLink is available, can you share the security group settings?
Interesting, I am going to recheck my setup, maybe an oversight on my part, I will get back to you with my findings but thanks for confirming that it can be done
I have updated my question with few details, the Security Group has 3 ingress rules which will make you wonder but that's just part of troubleshooting