By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Elastic Beanstalk´s ASG cannot create EC2 instances

0

The problem

I´m using Elastic Beanstalk to deploy applications alongside GitHub Actions, when the action gets activated, Beanstalk creates an ASG where the desired capacity creates at least 1 instance with the containerized application.

For some reason, the ASG provided by Beanstalk started to set as unhealthy the instances almost in an immediate way and terminates them. This process repeats 5 or 6 times and then returns an error state to the beanstalk application.

The ASG remains in Provisioning state and when I looked at the ASG activity history log I got the following:

StatusDescriptionCause
CancelledLaunching a new EC2 instance. Status Reason: Instance Became unhealthy while waiting for instance to be in inService state. Termination Reason: Client.InternalError: Client error on launchAt 2022-01-13 an instance was started in response to a difference between desired and actual capacity, increasing the capacity from 0 to 1

And the EB environment events throw 4 errors:

  1. Creating Auto Scaling group named: awseb-[...]-AWSEBAutoScalingGroup-1V0R8Z9EJ8G8J failed. Reason: Group did not stabilize. {current/minSize/maxSize} group size = {0/1/1}.
  2. Service:AmazonCloudFormation, Message:Stack named 'awseb-e-rvjtnttttf-immutable-stack' aborted operation. Current state: 'CREATE_FAILED' Reason: The following resource(s) failed to create: [AWSEBAutoScalingGroup].
  3. Failed to deploy application.
  4. Cannot complete command execution on the following instances as they are no longer running: [i-03449eff8756123c2].

The following steps have been taken at the moment

  1. Review of IAM role permissions to allow creating EC2 instances.
  2. Review of SG and secure connection between the load balancer and target group

Identified activities before the problem

  1. Enable ELB health check with 300 grace period for two of our ASG

Personal point of view

The problem seems to be not directly with Beanstalk but between TG and the instances, maybe a VPC endpoint is needed to return health status from EC2 to TG?

Client -> LB -> TG -[HERE]> EC2

Topics
ComputeManagement & GovernanceNetworking & Content Delivery
Tags
AWS Elastic BeanstalkAWS Auto ScalingAmazon EC2Elastic Load Balancing
Language
English
Osain Abitia
asked 2 years ago3367 views
3 Answers
0
Accepted Answer

Thanks to everyone! Your answers helped me a lot

I review the problem described here and realized that the main problem was actually with the EBS volumes, the EBS encryptions were enabled by default and somehow my current EB applications version cannot support encrypted EBS.

That's where the "client error on launch" comes from.

Osain Abitia
answered 2 years ago
0

Consider temporarily suspending and resuming a process for an Auto Scaling group. Be aware it can prevent other processes from functioning properly but it may give you an avenue to investigate what is going on and track down the source of the issue.

RoB
answered 2 years ago
  • Osain Abitia
    2 years ago

    I was able to get into one of the EC2 before it was terminated, and I got the following warning

    Failed to describe volume 'vol-015a..': The volume 'vol-015a..' does not exist

    Looking at the IAM role attached to Beanstalk I realize I didn't have specific allow permission for: DescribeVolumes, AttachVolume, CreateVolume, DeleteVolume, DetachVolume

    Could be this the reason why the ASG set as unhealthy almost in an immediate way those instances?

0

When I saw behavior like this, I extended how long the Auto scalinggroup waited after the deploy to check for HealthCheck. in my case, the instances simply needed more time.

in .ebextensions/00_autoscaling.config

Resources:
  AWSEBAutoScalingGroup:
    Type: "AWS::AutoScaling::AutoScalingGroup"
    Properties:
      HealthCheckType: ELB
      HealthCheckGracePeriod: 600 # wait 2x the default before checking

This doc has a section on HealthCheckGracePeriod https://docs.aws.amazon.com/autoscaling/ec2/userguide/healthcheck.html

Also, grab the logs from the server: in some cases the nginx / access logs can help to understand if the healthcheck is reaching your instance, but is returning non 200s.

bchandley
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content