By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Is there any workaround to get ICMP ping replies to a domain name routing to a Network Load Balancer (NLB)?

0

So here's the architecture

Route 53 DNS (mydomain.com) -> Record Type A, route traffic to "Alias to Network Load Balancer" -> NLB targets (a few UDP/TCP ports) -> Kubernetes NodeGroup -> Kubernetes "ingress-nginx-controller" service -> "ingress-nginx-controller" pods -> ingress rules -> custom service -> custom pod. With this configuration, applications works perfectly.

The NLB itself doesn't have a Security Group associated, but is documented as using the node (EC2) security groups themselves, which I allowed ICMP traffic on them.

Now it is clear from many many articles that:

I'm also perfectly aware that in order to test for service availability, there's many other ways (healthcheck, using curl, etc.)

BUT, I believe it's still important for anyone that is on the open internet that would try to ping "mydomain.com" to get a reply. It's just so common that it's a bit weird not to have any reply on the public domain name.

So, is there any workaround I could do to achieve that? I honestly do not care where the reply comes from, it do not have to be my custom service or my nginx pod. It could be the EC2 node itself. Or it could even be redirected to another EC2 instance used just for that at the DNS level if possible. Any method would be good, I just want any workaround so that someone pinging my domain name gets a reply.

Thanks!

Topics
Networking & Content DeliveryComputeContainers
Tags
Networking & Content DeliverySecurity GroupNetwork Load BalancerKubernetes
Language
English
Dunge
asked 9 months ago1250 views
1 Answer
0
Accepted Answer

Short answer: There is no workaround - NLB and many other things don't support ICMP.

You could create an EC2 instance with an Elastic IP to do the job but it kind of defeats the purposes as it isn't linked (in health terms) to the service that you're running.

As you point out: There are other ways of doing this (curl is a good example) and they generally have the advantage of testing more than just reachability of an IP address - you're testing the availability of (at least part of) the service.

profile pictureAWS
EXPERT
Brettski-AWS
answered 9 months ago
profile picture
EXPERT
Riku_Kobayashi
reviewed 9 months ago
  • Dunge
    9 months ago

    Thank you. I understand that the ping will never reach the service. I was hoping that there would be a way to redirect it to one or even load balance the requests between the nodes themselves, but I will accept that it's not.

    Accepting the limitation of false representation of the service health, care to expand on that "EC2 instance with an Elastic IP" idea anyway? How would that be configured? I can't share the same elastic IP between the load balancer and the extra EC2 can I?

  • Brettski-AWS EXPERT
    9 months ago

    You can create an EC2 instance with an Elastic IP and then have it respond to whatever queries you like (including ICMP). You could even be a little tricky about it - have a script that runs on the EC2 instance that checks the health of the load balancer and its targets and if they are not healthy, disable ICMP responses by modifying the instance security group or using iptables. And no, you can't share Elastic IP addresses between the instance and the load balancer.

  • Dunge
    8 months ago

    My inquiry is how to make the same domain name point to this EC2 instance for ICMP requests, but keeps pointing to the load balancer for the rest of the services usage.

  • Brettski-AWS EXPERT
    8 months ago

    You can't do that - you'd need to have a DNS record for the health check; and another for the load balancer. Again: Performing the health checks on the application port/protocol is a little more difficult on the application side but a lot easier elsewhere.

  • Dunge
    8 months ago

    Yes, as I explained the goal is not doing health check, I can do that already. The goal is just to provide a semblance of ping functionality for the end user contacting the public domain name. I never saw any big system ".com" domains not answering to ping requests. This is highly disappointing, but thanks anyway.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content