By using AWS re:Post, you agree to the Terms of Use

AWS Elastic Beanstalk Running in Private VPC without internet access


My objective is to deploy a web application in a VPC **without internet access **and using Elastic Beanstalk as the platform. A single AZ deployment will be sufficient and the load balancer will be "internal" facing where we will access it from a windows client in the same subnet.

I have created a private subnet in a VPC without internet gateway. Added a bunch of VPC endpoint interface such as S3, SSM, ElasticBeanstalk, ElasticBeanstalk-health, sqs, cloudformation, logs etc. Used the default security group for each endpoint.

I have created EC2 instance profile with the 2 managed policy [AWSElasticBeanstalkWebTier and AmazonSSMManagedInstanceCore] and also allows sts:AssumeRole by "EC2" service. This instance profile will be used for the EB environment EC2 intance launch.

I have created Elastic Beanstalk service role with the 2 managed policy [AWSElasticBeanstalkEnhancedHealth and AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy] and also allows sts:AssumeRole by elasticbeanstalk service if sts:ExternalId StringEquals elasticbeanstalk.

I have used a simple example file from AWS website to test. I created an environment where I have put ELB and EC2 in the same subnet without any public IP address assigned to. Used "loadbalancer" environment with min and max number of instances set to "1" (auto-scaling not needed). EBL set to "internal". Health reporting chose "Enhanced".

When the environment get created, it reports error saying that "Instance has not sent any data since launch" and "None of the instances are sending data". I searched online and some answer indicate that NTP UDP port 123 should be allowed in the security group so that the EC2 instance will have a valid time sync and the health reporting will become valid. However my VPC has no internet access and does that mean I have to setup my own NTP server in the VPC and write a bootstrap script in the EC2 instance to change the NTP server from the internet NTP to the intranet NTP? That sounds a lot of work, is the NTP access the real cause for my deployment to be a failure in the private VPC? Thank you.

1 Answer

Just now I have tried to add the rule of "allow inbound 443(HTTPS)" from my VPC CIDR block (as source) to the elasticbeanstalk and elasticbeanstalk-health VPC endpoints to the security group of those endpoints and it is working. Now I can deploy the Nodejs web application without any problem.

Security Group of the VPC endpoint is the key in this case.

answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions