- Newest
- Most votes
- Most comments
Hi,
I just did a quick test in my environment.
1. NAT Gateway in public subnet
2. ALB in public subnet
3. Two EC2 instances running httpd in two different private subnets and in the same target group. Both subnets have routes to the NAT Gateway and verified they have access to Internet
4. Verified that the Target Group status was healthy for both of the Registered Targets. Also Verified that both EC2 instances were being load balanced by the ALB
5. Removed the NAT Gateway and waited 15 minutes. Both of the Instance ID status remained healthy and the ALB was still able to load balance to the two web servers.
I am not quite sure how to reproduce your scenario. Can you provide more details?
-randy
Hello Randy,
thank you very much for your answer and help.
I deployed the same scenario without NAT Gateway.
ALB in 2 public subnets (default gateway to IG), instances in to private subnets (only local route) but when I browse to the ALB DNS y get a 502 Bad Gateway.
Health check of the ALB also unhealthy for the two instances.
It only works when there is a NAT Gateway, but if private instances respond to ALB then NAT Gateway is not needed, isn´t it?
Thank you!!!
Hi,
The NAT Gateway is only used so that the EC2 instances that are in the private subnet can get access to the Internet, for example, for the purpose of downloading software/patches. The ALB does NOT replace the NAT Gateway and generally the NAT Gateway should NOT impact the ALB functionality.
For example, in my setup, I had to download the apache web server on EC2 instances running in the private subnets. To download the apache web server, I have to run "yum install httpd -y". I am NOT able to install httpd, without the NAT Gateway running because it downloads the software to my EC2 from the Internet. (I am NOT able to download to my EC2 instance using the ALB). However, after installing httpd, I can remove the NAT Gateway and that should NOT have an effect on running the web server.
-randy
Hi Randy,
thank you very much again!
Oh my god! I forgot that my private instance needs outbound internet access in order to install apache with user data
Thank you!
Now, I don´t know why my instances fail ALB health checks, are ALB health ckecks from public IPs?
Thank you!!
Hi,
If you configured your ALB to use a Target group with registered targets that are in a private subnet, then the ALB will perform health checks from private IPs.
Whenever, I see an issue with the ALB's target's failing health checks, I login to the EC2 instance to troubleshoot (normally, it's because my web server was not properly installed/started by my user data).
Note: you will need to login to your EC2 instance in a private subnet, either through a bastion server or using System Manager's session manager:
https://aws.amazon.com/blogs/aws/new-session-manager/
You will then want to check your EC2 logs in /var/log/cloud-init.log and; /var/log/cloud-init-output.log
and/or try running the user data commands at the command line to see why they may not be working.
-randy
Relevant content
- asked 5 years ago
- Accepted Answerasked 5 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
