Background:
I have 3 apps on EC2 - App1 supported by an Application Load Balancer(ALB), App2 & App3. App3 needs to communicate internally to both -> ALB and App2.
ALB, App2 & App3 all have a security group (SG) with Inbound Rules that allow connections on Port 80 and 443 with Source as itself, i.e. it's own SG ID (so App3 can communicate with App2 and the ALB).
App1 has a SG with Inbound Rules that allow connections on Port 80 and 443 with Source as ALB's SG (so that the ALB can forward requests to App1).
I also have a Private Hosted Zone with records that have private ip for App2 and App3. For, ALB the value is the DNS name.
Question:
Now, when I make a request from App3 -> to App2, it works.
However, App3 -> ALB does not. My observation for this is that App3 -> to App2 is resolved internally because of the private ip on the Private Hosted Zone. However, App3 -> ALB is not resolved internally because of the DNS name of the ALB.
Looking for any ideas/pointers/suggestions. Thanks.
Workaround that works:
If I remove the ALB, and change App1's SG to the same as App2 & App3 and change Private Hosted Zone record from ALB DNS name to App1's private ip, App3 -> App1 also works. However, I cannot get it working with the load balancer.
AWS OFFICIALUpdated 8 months ago
What kind of subnets are the applications sitting in?
@kentrad Thanks for your response. All apps belong to a public subnet, say SN1. The load balancer belongs to two public subnets (SN1 as all the apps, and SN2). They belong to a public subnet as they need to handle internet traffic (i.e. these apps are accessible from the browser).
If all the apps including app1 is in a single subnet, why does the ALB need to be present in 2 subnets? I am assuming you have created the ALB in 2 AZs for high availability, but does the ALB have any target group in 2nd subnet?
@ap16 The ALB has 2 target groups- port 80 and 443, both of which point to the private ip of App1. Do you reckon I should spin another instance of app1 in the 2nd subnet, then create target group for ALB in the 2nd subnet? Fwiw, if I change ALB's SG source from itself to anywhere, then it works. Guess that means the ALB <-> App1 connection is good? (shrug)
That kind of makes sense, that adding 'anywhere' to the ALB Security Group fixes things. The Apps are resolving the IP of the ALB and getting a Public IP, which may cause the packet to then to pass through the Internet Gateway with a source of the App's Public IP. Another possible configuration is to have two ALBs, one to service public traffic and one to serve private (inter-VPC) traffic. Both would have the same targets.