I just did a quick test in my environment.
1. NAT Gateway in public subnet 2. ALB in public subnet 3. Two EC2 instances running httpd in two different private subnets and in the same target group. Both subnets have routes to the NAT Gateway and verified they have access to Internet 4. Verified that the Target Group status was healthy for both of the Registered Targets. Also Verified that both EC2 instances were being load balanced by the ALB 5. Removed the NAT Gateway and waited 15 minutes. Both of the Instance ID status remained healthy and the ALB was still able to load balance to the two web servers.
I am not quite sure how to reproduce your scenario. Can you provide more details?
thank you very much for your answer and help.
I deployed the same scenario without NAT Gateway.
ALB in 2 public subnets (default gateway to IG), instances in to private subnets (only local route) but when I browse to the ALB DNS y get a 502 Bad Gateway.
Health check of the ALB also unhealthy for the two instances.
It only works when there is a NAT Gateway, but if private instances respond to ALB then NAT Gateway is not needed, isn´t it?
The NAT Gateway is only used so that the EC2 instances that are in the private subnet can get access to the Internet, for example, for the purpose of downloading software/patches. The ALB does NOT replace the NAT Gateway and generally the NAT Gateway should NOT impact the ALB functionality.
For example, in my setup, I had to download the apache web server on EC2 instances running in the private subnets. To download the apache web server, I have to run "yum install httpd -y". I am NOT able to install httpd, without the NAT Gateway running because it downloads the software to my EC2 from the Internet. (I am NOT able to download to my EC2 instance using the ALB). However, after installing httpd, I can remove the NAT Gateway and that should NOT have an effect on running the web server.
thank you very much again!
Oh my god! I forgot that my private instance needs outbound internet access in order to install apache with user data
Now, I don´t know why my instances fail ALB health checks, are ALB health ckecks from public IPs?
If you configured your ALB to use a Target group with registered targets that are in a private subnet, then the ALB will perform health checks from private IPs.
Whenever, I see an issue with the ALB's target's failing health checks, I login to the EC2 instance to troubleshoot (normally, it's because my web server was not properly installed/started by my user data).
Note: you will need to login to your EC2 instance in a private subnet, either through a bastion server or using System Manager's session manager:
You will then want to check your EC2 logs in /var/log/cloud-init.log and; /var/log/cloud-init-output.log
and/or try running the user data commands at the command line to see why they may not be working.
Thank you very much Randy!
How Instances in Private subnet can connect to Internet with NAT InstanceAccepted Answerasked 2 months ago
Accessing API Gateway both Public and Private endpointAccepted Answerasked 2 years ago
ALB - Nat Gateway
Communication between two private ec2 instancesasked 3 months ago
ALB Routing to Unhealthy TargetsAccepted Answerasked 3 years ago
Public ALB - NAT Gateway
NAT Gateway w/ Elastic IP in Public + Private VPC with AWS Workspaces ..asked 2 years ago
cloud-init not setting default route to NAT Gatewayasked 2 years ago
EC2 instance in private subnet shows IPv4 address of NAT instanceasked 3 years ago
Is it possible Private EC2 Instance send outbound traffic to Public ELB?asked 9 days ago