EC2 can not send https request

0

I have an EC2 instance behind an ALB. I configured SSL on the ALB so that it can be accessed via HTTPS protocol. However, when I tried to send an HTTPS request from that EC2 instance, the request timed out. The security group's outbound rule is open for all traffic (0.0.0.0 for both the EC2 instance and the ALB). Why can't the HTTPS request be sent from the EC2 instance?

Note: The same HTTPS request can be sent successfully from my Windows machine. Therefore, I suspect that the security group may be preventing the HTTPS requests from being sent from the EC2 instance. Also, before I set up SSL for the ALB, the HTTPS requests could be sent from the EC2 instance successfully. Could this issue be related to the SSL certificate?

3 Answers
2
Accepted Answer

You're probably accessing the external site over IPv4, so what you need is to have your EC2 instances in a "private subnet" and a NAT gateway in a "public subnet". The VPC route table attached to the private subnet must have its default route 0.0.0.0/0 pointed at the NAT gateway. The VPC route table attached to the public subnet must point the default route to the IGW (internet gateway).

You already have the ALB in such a "public subnet", so you can place your NAT gateway in the same subnet with the ALB.

Once the private subnet is created with the default route pointed at the NAT gateway, and you've moved your EC2 instance in the private subnet, you'll be able to connect both to external sites and your ALB, if needed.

There's a simple block diagram showing the structure of the private and public subnets, the NAT gateway, the internet gateway, and an ALB in AWS's documentation: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-example-private-subnets-nat.html

EXPERT
Leo K
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
  • Thank you for your answer. This is a very strange problem. It seems like there was an issue with the security group (SG) that was affecting connectivity . By deleting and recreating the SG with the same settings, I was able to resolve the connection issue.

  • That's not possible, but perhaps you were looking at the inbound rules and didn't notice the outbound ones. In any case, you should never assign a public IP address directly to your EC2 instance. You should instead use the private/public subnet design described in the AWS documentation, and that will involve the NAT gateway and its public IP being used for outbound IPv4 connections, and the EC2 instance only having a private IP. That way, no direct connectivity from the outside to your EC2 instance will be possible in any situation.

2

Hello,

By configuring the TLS Certificates at the ALB, it enables encrypted communication (HTTPS) between clients (such as web browsers) and the ALB itself. This ensures that data transmitted over the internet between the client and the ALB is encrypted and secure.

However, the presence of TLS certificates on the ALB does not directly enable or restrict the ability of an EC2 instance behind the ALB to send HTTPS requests to external endpoints.

  1. Check the security group and NACL configurations for any rules blocking outbound HTTPS traffic port 443.
  2. Ensure DNS resolution is functioning correctly on the EC2 instance.

Testing Connectivity to an HTTPS Endpoint from EC2 instance:

telnet <endpoint> 443

profile picture
EXPERT
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
profile pictureAWS
EXPERT
reviewed 3 months ago
  • Thank you for your reply. In fact, I run a Spring Boot backend application on that EC2 instance. To connect to a third-party payment service, I need to send an HTTPS request from that EC2 instance.

  • Hello. I used curl to test the Connectivity to an HTTPS Endpoint from EC2 instance. It failed because of the time out.

  • Can you resolve the DNS name of the endpoint and what is the error that you get from the spring boot app when connecting to the https external endpoint?

  • Thank you for your answer. This is a very strange problem. It seems like there was an issue with the security group (SG) that was affecting connectivity . By deleting and recreating the SG with the same settings, I was able to resolve the connection issue.

0

Secure Listener Settings: Check the default AWS security policy (not security group) for the certificate. If that is fine, then please try this:

  1. Click on Listeners tab and select HTTP:80 box
  2. Edit listener, click Remove next to "1. Forward to"
  3. Click down arrow next to Add action
  4. Enter port number 443
  5. Save changes. I am not sure whether you have created A record with Application Load Balancer DNS Name, such as "dualstack.my-web-ALB..............." under Alias.
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions