Hi, I have an elastic beanstalk website and I want to direct some of the traffic to an on-premise server. The website is supported by an application load balancer.
I have an OpenVPN Access Server, behind it is an on-premise web server running gunicorn directly (no nginx), listening on 0.0.0.0:80
The ip of on-premise server is 172.27.160.2. I can access the on-premise server using another computer connected to the OpenVPN (172.27.160.3)
Firewall on the on-premise server is disabled (sudo ufw disable)
I have the following routes in VPC IP Table
0.0.0.0/0 igw-{internet gateway interface}
172.27.160.0/20 eni-{interface of the instance running openvpn}
...
I have run VPC Reachability Analyzer
source: 172.31.28.193/32 (an instance spawned by elastic beanstalk)
target: 172.27.160.2
Reachable (after turning off Source/dest check)
I have added 172.27.160.2 as a Target to a Target Group. It says "unhealthy" and "Request timed out"
I think the reachability analyzer suggest that I have configured the openvpn server correctly, problem seems to be on the load balancer refusing to reach the 172.27.160.2 subnet
Any help is much appreciated.
AWS OFFICIALUpdated 10 months ago
thanks, from "Network Mapping", load balancer is on a VPC with subnet 172.31.0.0/16. Availability Zones: 172.31.16.0/20, 172.31.0.0/20, 172.31.32.0/20. I don't know what you mean by workload subnet, is it the one where the beanstalk instance resides? p.s.I don't know how to run reachability analysis from load balancer to the on-premise server, or it would make things easier. I don't even know the ip of the load balancer
If you've only got three subnets (one per AZ) then the ALB will have an interface (and an IP address) on each; so testing reachability from an EC2 instance on that subnet is a good start. Any chance there is a security group on the ALB that is preventing access?