Network Loadbalancer and health checked

Question

My app is in an Elasticbeanstalk envi. It uses  a Network Loadbalancer  (EnvironmentType=LoadBalanced) and a TargetGroup. As it has Network Loadbalancer so the default health check type is EC2. I can see the Health check settings are:

* Protocol: TCP
* Port: Traffic port

AFAIK,  health check type EC2 only check at server instance level but does not check the application health. Therefore when the app return 5xx error codes for a longtime, AWS does not remove the instance from LB and add a new one

Here is my current config (terraform):
```
/* Beanstalk env config */
  setting {
    namespace = "aws:elasticbeanstalk:environment"
    name      = "EnvironmentType"
    value     = "LoadBalanced"
  }
  setting {
    namespace = "aws:elasticbeanstalk:environment"
    name      = "LoadBalancerType"
    value     = "network"
  }
...
/* ALB config */
  setting {
    namespace = "aws:elbv2:listener:default"
    name      = "Protocol"
    value     = "TCP"
  }
  setting {
    namespace = "aws:elbv2:listener:default"
    name      = "ListenerEnabled"
    value     = "false"
  }
  setting {
    namespace = "aws:elbv2:listener:443"
    name      = "Protocol"
    value     = "TCP"
  }
  setting {
    namespace = "aws:elbv2:loadbalancer"
    name      = "ManagedSecurityGroup"
    value     = aws_security_group.ebs_http_ingress.id
  }
  setting {
    namespace = "aws:elbv2:loadbalancer"
    name      = "SecurityGroups"
    value     = aws_security_group.ebs_http_ingress.id
  }

```

Could you please help so that I can have a health check (ELB type?) at app level to check the app at a port (5000). The if the app returns 5xx errors in a period for an instance, that instance will be taken from LB and replaced by a new one

Many thanks

Daniel Buaon · Answer

You’re seeing this because a Network Load Balancer (NLB) with a TCP health check only verifies that the port is open; it does not evaluate HTTP status codes. So a service returning 5xx can stay “healthy” to the NLB.

If you need app-level health (e.g., fail an instance on sustained 5xx), switch your Elastic Beanstalk env to an Application Load Balancer (ALB) and configure an HTTP health check on your app (port 5000, path like /health). Also tell the Auto Scaling Group to use ELB health.

re:Post Agent · Answer

To configure your Network Load Balancer in Elastic Beanstalk to perform application-level health checks and replace instances that are returning 5xx errors, you need to make several changes to your configuration.

First, it's important to understand that Network Load Balancers (NLBs) perform health checks at the transport layer (TCP) by default, which only verifies that the port is open and accepting connections. They don't check HTTP status codes like 5xx errors.

To achieve what you want, you need to:

1. Configure the health check settings for your target group
2. Configure your Auto Scaling group to use the Elastic Load Balancing health check

Here's how to update your Terraform configuration:

```
/* Configure health check settings for the default process */
setting {
namespace = "aws:elasticbeanstalk:environment:process:default"
name      = "HealthCheckPath"
value     = "/your-health-check-path"  # Path to check on your application
}
setting {
namespace = "aws:elasticbeanstalk:environment:process:default"
name      = "Port"
value     = "5000"  # Your application port
}
setting {
namespace = "aws:elasticbeanstalk:environment:process:default"
name      = "HealthCheckInterval"
value     = "10"  # Seconds between health checks
}
setting {
namespace = "aws:elasticbeanstalk:environment:process:default"
name      = "HealthyThresholdCount"
value     = "3"  # Number of consecutive successful checks to consider healthy
}
setting {
namespace = "aws:elasticbeanstalk:environment:process:default"
name      = "UnhealthyThresholdCount"
value     = "3"  # Number of consecutive failed checks to consider unhealthy
}

/* Configure Auto Scaling to use ELB health checks */
setting {
namespace = "aws:autoscaling:launchconfiguration"
name      = "HealthCheckType"
value     = "ELB"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name      = "HealthCheckGracePeriod"
value     = "300"  # Time in seconds to wait before checking health after instance launch
}
```

This configuration does two important things:

1. It sets up the health check to target your application on port 5000 with a specific path
2. It configures the Auto Scaling group to use the "ELB" health check type instead of just "EC2"

The "ELB" health check type is crucial because it tells Auto Scaling to replace instances that fail the load balancer's health check. Without this setting, an unhealthy instance would be removed from the load balancer but not automatically replaced.

Note that even with a Network Load Balancer, you can configure health checks to check specific paths in your application, which will help detect 5xx errors. When an instance consistently returns errors, it will fail the health check, be marked as unhealthy, removed from the load balancer, and then replaced by Auto Scaling.  
**Sources**  
[Troubleshoot a Classic Load Balancer: Health checks - Elastic Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ts-elb-healthcheck.html)  
[Basic health reporting - AWS Elastic Beanstalk](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.healthstatus.html)  
[Configuring a Network Load Balancer - AWS Elastic Beanstalk](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-nlb.html)

Network Loadbalancer and health checked

Add your answer

Relevant content