Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

MWAA Web Server Cannot Connect To my EC2 in another VPC but Schedulers and Worker can

0

->The workers and schedulers from MWAA are able to download things from the target instance on port 443 (repository, internally hosted) but the MWAA web server cannot, get's time out when tries to connect on port 443 -> MWAA web server is in public network is able to download stuff from internet. -> Please note: MWAA and Target instance are in different VPC. ->Checked VPC peering between the MWAA VPC and the VPC where my target instance is placed. ->Performed the reachability test and traffic from MWAA VPC was able to reach the target instance. ->MWAA VPC is able to access the target instance. ->Ruled out the dns issue, by replacing the domain name with the private IP address, does not seem to work as well. ->Opened every port on my target instance for incoming traffic from MWAA VPC, does not seem to resolve the issue. ->Checked Security groups, Network access control list to see if anything is blocking the traffic from the web server to reach the Target instance. That's not the case checked for all inbound and outbound rules. ->Did setup VPC flow logs for target instance, but cannot see the traffic hitting my target instance and getting rejected. ->Found some related articles regarding the same issue, they were not able to access things from web-server but the workers and scheduler were able to. ref : https://repost.aws/questions/QUmgPhWhgmTFGMc18d7De40A/airflow-webserver-not-installing-python-requirements Reaching out to AWS community for support. Any help or leads would be appreciated

Topics
Application IntegrationComputeNetworking & Content Delivery
Tags
Amazon Managed Workflows for Apache Airflow (MWAA)Amazon EC2Amazon VPC
Language
English
asked a year ago190 views
1 Answer
0

Based on the information provided, it appears you're experiencing a connectivity issue between the Amazon Managed Workflows for Apache Airflow (MWAA) web server and an EC2 instance in another VPC, specifically on port 443. This is a complex issue, as the MWAA workers and schedulers can connect, but the web server cannot. Let's explore some potential solutions and areas to investigate:

  1. VPC Peering Configuration: Although you've checked the VPC peering between the MWAA VPC and the target instance VPC, ensure that the route tables in both VPCs are correctly configured to route traffic through the peering connection. Double-check that the CIDR blocks for both VPCs are correctly listed in each other's route tables.

  2. Security Groups and NACLs: While you've mentioned checking these, it's worth re-examining the security groups and network ACLs for both the MWAA environment and the target EC2 instance. Ensure that outbound rules in the MWAA security group allow traffic to the target instance's security group, and that inbound rules in the target instance's security group allow traffic from the MWAA security group, specifically on port 443.

  3. MWAA Network Configuration: Check the MWAA environment's network configuration. Ensure that it's set up to use the correct VPC and subnets that have the necessary routing to reach the peered VPC.

  4. NAT Gateway: If the MWAA web server is in a private subnet, ensure there's a properly configured NAT Gateway in the public subnet of the MWAA VPC. This is necessary for the web server to access the internet and potentially reach your target instance.

  5. DNS Resolution: Although you've ruled out DNS issues by using the private IP address, ensure that DNS resolution is enabled for the VPC peering connection. This allows instances in either VPC to resolve private DNS hostnames of instances in the peered VPC to private IP addresses.

  6. MWAA Web Server Specific Configuration: Since the issue is specific to the MWAA web server, there might be a configuration or networking setting unique to the web server component. Check if there are any MWAA-specific settings that could be affecting the web server's ability to connect to external resources.

  7. CloudWatch Logs: Enable and check CloudWatch logs for the MWAA environment, focusing on the web server logs. Look for any error messages or connection timeouts that might provide more insight into the issue.

  8. AWS Support: If you have AWS support, consider opening a support ticket. They may be able to provide more detailed insights into the MWAA networking configuration and potential issues.

  9. Proxy Configuration: Check if there are any proxy settings in place for the MWAA environment that might be interfering with the web server's ability to connect directly to the target instance.

  10. VPC Endpoints: If applicable, ensure that any necessary VPC endpoints are properly configured, especially if your target instance is providing services that typically use VPC endpoints (like S3 or DynamoDB).

Given the complexity of this issue and the fact that it's specific to the MWAA web server while other components are working, it may require deeper investigation into the MWAA service's networking architecture. Continue to monitor VPC flow logs and consider enabling more detailed logging for the MWAA environment to gather more information about the connection attempts from the web server.
Sources
Troubleshoot a VPC peering connection - Amazon Virtual Private Cloud
EC2 Connectivity problem on port 443 | AWS re:Post
Can't able to connect to the EC2 server in private network | AWS re:Post

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content