Questions tagged with Elastic Load Balancing

Hi, I am trying to setup an airflow application in ECS using EC2 launch type using teraform. Now I get error for webserver (saying task failed loadbalancer health check).I have tried various solutions but still it isint working. With the same code using Fargate launch type I am not receiving this error. Can you please help solve the issue

Hello. One of my environments is using a Classic Load Balancer. Sometimes, the queries I run in our database take more than just one minute, so I needed to increase the idle timeout of the Load Balancer (which is one minute by default). We followed the instructions and changed it to 3600 (s). However, I'm still getting the "connection closed" message after just one minute, so the new value of the idle timeout seems to have no consequence. Is there anything else I should be doing?

I got this page after deploying a version which was previously running successfully. There's only one instance in my application and I'm getting a "degraded" integrity. As for the causes, it is stated that "Application deployment failed [...] with exit status 1 and error: Engine excution has encountered an error. Incorrect application version 'app-....' (deployment 67). Expected version 'app-...' (deployment 66)." It's my first time AWS and I'm a overall newbie... What am I missing, since the website was running smoothly before this last attemped deployment? I appreciate any help.... Ovidio (from Brazil)

How to make ALB seamlessly and instantly re-forward HTTP request to a healthy target? I am trying to configure ALB to seamlessly forward HTTP requests to another healthy target when the original target is unavailable, but not yet marked unhealthy. But I get Gateway error 502 until 2 unsuccessful healthchecks happen and the target is marked unhealthy. I have 1 ALB, 1 target group, 2 targets that pointed to 2 IPs in separate VM instances. Session stickyness is on. App cookie JSESSIONID. Tomcat is configured for Clustering. Scenario: 1. start Tomcat at node A 2. browse app http: //My-ALB-link/examples/jsp/jsp2/simpletag/hello.jsp. Node A responds. 3. start Tomcat at node B. wait until ALB marks target healthy 4. stop Tomcat at node A and quickly refresh browser - get error 502 Bad Gateway 5. wait a minute, refresh browser. Node B responds. How to configure ALB to instantly re-forward HTTP request to another node if the first node happen to be unavailable? User's wont wait while ALB makes 2 healthchecks and marks a node unhealthy. thanks, Mark

I deploy AWS Load Balancer Controller and it creates and configures an application load balancer when I deploy an ingress, which is very convenient. However, the application load balancer is only created when an ingress.yaml is deployed, not when the controller is deployed. Is there a way of forcing the load balancer to be created on deployment of the Controller, before any ingresses have been deployed? I have several spring boot projects and an OAuth server deployed on my cluster - the spring boot projects' deployment require the OAuth2 server's URL. This requirement forces the deployment of the OAuth2 server separately, in order to configure/discover its hostname, before the other projects deploy. Ideally, I would like to deploy everything at once..

I want to ask the case: I have 2 Webservers in 1 target group. I think that if the connection from ALB to only 1 between/among targets have something wrong, the TargetConnectionErrorCount will be count. When testing, I make one of my webserver become can not connect (Request timed out) by changing the Security group. I think that TargetConnectionErrorCount will be counted here, but it not. I have to make all of my targets become unhealthy to see the TargetConnectionErrorCount be count (see the attached images) Is it right that only when all the target servers in the target group healthcheck fail will the TargetConnectionErrorCount metrics be counted? Attached image here: https://live.staticflickr.com/65535/52061333803_d622b9a25c_b.jpg

I have an ECS service that exposes port 8080. I want to have the load balancer, target groups and target use that port as opposed to port 80. Here is a snippet of my code: ``` const servicePort = 8888; const metricsPort = 8888; const taskDefinition = new ecs.FargateTaskDefinition(this, 'TaskDef'); const repository = ecr.Repository.fromRepositoryName(this, 'cloud-config-server', 'cloud-config-server'); taskDefinition.addContainer('Config', { image: ecs.ContainerImage.fromEcrRepository(repository), portMappings: [{containerPort : servicePort, hostPort: servicePort}], }); const albFargateService = new ecsPatterns.ApplicationLoadBalancedFargateService(this, 'AlbConfigService', { cluster, publicLoadBalancer : false, taskDefinition: taskDefinition, desiredCount: 1, }); const applicationTargetGroup = new elbv2.ApplicationTargetGroup(this, 'AlbConfigServiceTargetGroup', { targetType: elbv2.TargetType.IP, protocol: elbv2.ApplicationProtocol.HTTP, port: servicePort, vpc, healthCheck: {path: "/CloudConfigServer/actuator/env/profile", port: String(servicePort)} }); const addApplicationTargetGroupsProps: elbv2.AddApplicationTargetGroupsProps = { targetGroups: [applicationTargetGroup], }; albFargateService.loadBalancer.addListener('alb-listener', { protocol: elbv2.ApplicationProtocol.HTTP, port: servicePort, defaultTargetGroups: [applicationTargetGroup]} ); } } ``` This does not work. The health check is taking place on port 80 with the default URL of "/" which fails, and the tasks are constantly recycled. A target group on port 8080, with the appropriate health check, is added, but it has no targets. What is the recommended way to achieve load balancing on a port other than 80? thanks

Hi, So we have an EC2 instance setup with a load balancer and elastic IP.... It works perfectly, except when the Elastic IP address becomes unassociated with the instance. The EIP addr is still there in the EIP table, just no instance is connected to it. And it does this seemingly at random. It will work for hours - days - then all of a sudden we can't connect. We check the EIP and it's unassociated. We re-associated it, and it's back to working again. (We do not have the *Reassociation* checkbox marked when you go to associate an EIP, so that shouldn't be causing it.) Other information: 1. No one has made changes to aws setting when it disassociates. 2. It doesn't coincide with bitbucket pipeline build. 3. Security groups, inbound rules are still all the same and associated with the instance. 4. We also only have a couple EIP, so we shouldn't be hitting any limits. So we are at a complete loss. Nothing else seems to change in aws - just the EIP association. Any ideas? I will happily add more information if needed.

We recently migrated our service to ECS, and we’ve seen a pattern of errors like this a few times: 1. Our CPU usage is low, so as part of normal autoscaling, ECS starts to reduce the number of tasks by 1 2. ECS claims to have deregistered 1 target and be draining connections 3. 90 seconds later (after the deregistration delay) ECS stops the task 4. Immediately after the task is stopped, a flood of load balancer 502s happens, all directed at just one IP. We suspect that this is the IP of the task that was removed and stopped, but somehow not removed from the ELB target group We don’t have any long-lived connections, so the 90 second deregistration delay should be long enough for the task to finish processing its requests before it’s stopped. It seems that the task selected for removal isn’t actually removed from the ALB target group, even though the ECS logs include messages indicating that it is. The logs include ``` * service \[our-service\] deregistered 1 targets in target-group \[our-target-group\] followed by * service \[our-service\] has begun draining connections on 1 tasks. ``` Events like this happen rarely (definitely not every time we scale down) but frequently enough to notice. Does anybody have ideas about why these errors might be happening, or how to get more information about what is going on? Thanks in advance.

When is the IP address changed when using ELB? Does it change depending on the time such as every 30 minutes? Will it change as the number of accesses increases?

How can I check the cost of network load balancer with cross-zone load balancing enabled on AWS console? Cross zone load balancing only.

We had an instance that despite being unreachable did not switch from healthy to unhealthy. In the instance there is a tomcat and nginx web application as a reverse proxy. In the tomcat and nginx logs we did not find any calls from the healthcheck service during the down period, but calls resumed smoothly as soon as the instance resumed working smoothly Would anyone be able to explain why the instance has not become unhealthy?

Four or five times in the past 6-8 weeks, we've had situations where one of our ec2 instances (running CentOS) cannot reach the private IP address of a classic ELB. I believe this is due to scaling events (or something else causing replacement of ELB components) happening on the ELB. From what I see in cloud trial, the network interface is replaced with one having the same ip address but a different mac address. Sometimes, but not all the time, the old mac address gets stuck in the instance's arp cache (in REACHABLE state), preventing the instance from communicating with the ELB causing drastic issues for our application. If I manually delete the entry from the arp cache, things start working again. This is happening across different environments, so multiple subnets, multiple ELBs and multiple ec2 instances. These environments and components have been running for years without seeing this issue before. The only network config change we've recently made is to disable jumbo frames earlier this year, but don't see how that would impact this. Any ideas how to fix this? Thanks EDIT: this happened again today and I was able to more closely examine things. The new ENI is actually re-using an ip address that had been used over a month prior. The old entry for said ip address is still listed in the arp cache with the prior MAC address, despite not being used for about four weeks. This explains why it's starting to happen more frequently, as the chance that an ip address gets re-used increases as new ENIs are created for the ELBs. It's a /26 subnet so not a lot of addresses to choose from.

note: I'm new to scaling and firstly seeking advice on the best practices for horizontal scaling **I have the following setup:** *EC2 Instances <-> ASG(created from Launch template) -> TG <-> ALB <-> TG <-> NLB* Traffic flows through NLB to ALB and finally to EC2 instances configured via ASG. note: I'm assuming the above setup is the best one to go with horizontal scaling, if not please let me know. the above setup works fine for HTTP whereas when I try to configure HTTPS, I don't see options to do so. Issue1: Target Group(TG) doesn’t allow to create one with Load Balancer type with TLS port: 443 but allows only TCP: port 80, **Question1: **how else should I redirect HTTPS traffic to ALB? note: I need NLB because ALB doesn't provide Static IPs **Question2:** wrt Static IPs: NLB doesn't allow <2 AZs which means I need to have 2 Static IPs linked to my domain? any inputs would be really helpful! **Update1:** I've configured like below: In ALB listeners: HTTP(80) gets redirected to HTTPS HTTPS(443) gets forwarded to ASG In NLB listeners: HTTP(80) gets forwarded to ALB note: ALB's public URL is added to my domain(sample-alb.domain.com) NLB's public URL is added to my domain(sample-nlb.domain.com) SSL works fine if the user enters by hitting sample-alb.domain.com whereas if the user enters by hitting sample-nlb.domain.com, it always fails with "ERR_CERT_INVALID" any inputs on why this fails? **Update2:** I've got the answer to my Issue1/Question1 on how to redirect HTTPS traffic to ALB from here: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/application-load-balancer-target.html#configure-application-load-balancer-target > **Listeners and routing** > For Listeners, the default is a listener that accepts TCP traffic on port 80. Only TCP listeners can forward traffic to an Application Load Balancer target group. Keep the listener protocol set to TCP, but you can modify the port as required. > > This setup allows you to use HTTPS listeners on the Application Load Balancer to terminate the TLS protocol. so, I created a TG with TCP port 80 and listener to NLB, which redirects to ALB. (say for ex my NLB's public URL is 'nlb34323.amazonaws.com') now, when I hit my NLB's public URL with 'http://nlb34323.amazonaws.com', it does get redirected to 'https://nlb34323.amazonaws.com', but eventually fails with a timeout error. note: whereas when I hit ALB's public URL, it is working fine does it have anything to do with TLS termination as mentioned in the above documentation: > This setup allows you to use HTTPS listeners on the Application Load Balancer to terminate the TLS protocol. what am I doing wrong here?

Over the past week, clients have reported that any downloads approximately 600+ MB will be terminated mid request within a few seconds of the original request starting. I've checked multiple places to make sure its not my app that's dropping the connection or the EC2 instance and have verified that instances outside the Classic ELB can download the same file just fine. My production workload is in Opsworks Stacks and I bring up and take down the webservers according to load, and time of day. Opsworks very cleanly adds the instances to the load balancer after they come up and removes the instance from the load balancer before shutting down. I have looked into migrating to NLB or ALB, however since AWS still does not support those load balancers in Opsworks Stacks I am stuck using the Classic Load Balancer. After pounding my head against the wall I opened a support ticket to report a possible problem. AWS Support confirms the bug is known and "Classic Load Balancer experiences high resource utilization, when large files are being uploaded and downloaded to or from the target EC2 instances". Also I was informed there is no ETA of a fix. This was April 11, I have escalated to my account manager as well, but apparently he has not been able to get any traction either. I am posting so there is visibility.

**Context: **i've created an ELB and have connected to a target group which inturn is connect to an ASG **ASG - Working:** I could see that ASG is working fine aka it creates an instance automatically as per the scaling policy. **Target Group - Working:** I could also see that the target group is indicating the instance as Healthy **ELB - Not Working:** whereas, when I try to hit the ELB's public URL from a browser, I don't see it working, it fails with a timeout error and I've enabled logging for ELB but don't see the logs appearing in S3 buckets (although there's a file created by ELB, which means I've given proper access to it) I literally don't know how else to track a request from ELB and I'm not seeing the logs generating in my application/instances as well. but, when I try to hit the public URL of my instance, the application does work any inputs would be helpful!

Solution suggested on Stackoverflow was to increase max http message size. by creating this file: /.platform/nginx/conf.d/proxy.conf with the content:\nclient_max_body_size 100M; Where to create this file .. How to do this for an AWS Load Balancer (not Elastic Beanstalk) ?

I have enabled http2 on cloudfront and alb.Below is an access log from alb. https 2022-04-14T12:07:34.438950Z app/awseb-AWSEB-@#$$$$$$$/33c31cf831229bd5 70.132.30.168:19320 172.31.30.35:80 0.001 0.059 0.000 200 200 1091 15561 "GET https://mywebsite.co:443/ HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-1:123456789:targetgroup/awseb-AWSEB-CO4F476RJ4O0/e54f61d50c1c75c9 "Root=1-62580e86-1411f5a823d9bc5f7dc1df7e" "mywebsite.co" "session-reused" 0 2022-04-14T12:07:34.378000Z "forward" "-" "-" "172.31.65.35:80" "200" "-" "-" As you can see cloudfront is using https i.e http over tls instead of http2. What could be the issue ?

Hi. I have a ec2 instance (not Lightsail) working behind a Load Balancer. Apache, PHP-FPM are installed and WordPress (or any PHP code) is working mostly fine. However if I try to run code using curl I get a 504 Gateway Timeout. WordPress Site Health also fail because of the same issue. Issues like: - Error: cURL error 28: Failed to connect to fakedomainforthispost.com port 443 after 7503 ms: Connection timed out (http_request_failed) - Your site is unable to reach WordPress.org at 198.143.164.251, and returned the error: cURL error 28: Connection timed out after 10001 milliseconds - The loopback request to your site failed, this means features relying on them are not currently working as expected. Error: cURL error 28: Failed to connect to fakedomainforthispost.com port 443 after 7503 ms: Connection timed out (http_request_failed) If I run curl as a command in ssh works fine. If I run curl as code inside a php file I get the 504 Gateway Timeout. I tried setting the KeepAlive rules bigger than the ELB Idle time with no success. If I clone the ec2 instance and run outside the Load Balancer, curl in php works fine. The load balancer allows ports 80 and 433 and the connected Target group communicates to the instances using port 80. The rest works fine. Kind Regards, D.

Hello, Is there any way to configure an AWS-ELB to provide source IP address when it is not configured as an HTTP load balancer but TCP load balancer? To explain a bit, we would like to to setup SMTP servers on EC2-Instances behind a the ELB, but we need to be sure the receive the right origin IP address within the SMTP protocol which now implements X-Forward-For as HTTP protocol. Any advice would be appreciated.

I am trying to modify a Cloudformation template. I modified the following keys for an ElasticLoadBalancingV2 TargetGroup: ``` ... InternalNLBTargetGroup: # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-targetgroup.html Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: ... HealthCheckIntervalSeconds: 10 HealthyThresholdCount: 2 UnhealthyThresholdCount: 3 ... ... ``` When I try to update my Cloudformation stack, then the update logicalId _InternalNLBTargetGroup_ fails with status reason `You cannot change the health check interval for a target group with the TCP protocol (Service: AmazonElasticLoadBalancing; Status Code: 400; Error Code: InvalidConfigurationRequest; Request ID: c46176c1-8101-4a8d-98e0-d1007c0ab019; Proxy: null)` What can I do to resolve this issue? I saw this error mentioned in the [AWS docs](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-health-checks.html) but they didn't provide any next steps.

**Context:** We've got a number of load balanced web servers running on Windows OS in AWS using C# .NET (5). We have a web server application as well as a Windows Service running on the same machine and we have problems with logging from the Windows Service. **Problem Description**: Since we have many servers running load balanced, we name the log stream with the private IP number in order to distinguish which machine that potentially has problems. This private IP is extracted at startup of the application (for both the Windows Service and the Web Server.) This is usually sucessfull, but yesterday we had an incident when one Windows Service log stream was labeled with 127.0.0.1 instead of the local IP number. Eventually I was able to pinpoint which server it was, restarted the windows service, which made the private IP number appear instead in the new log stream name. **?: Suggested reason with possible solution:** I'm guessing this is a race condition error. The machine has not received it's private IP number yet by AWS network before our service asked for it. **If so we can wait for the real IP to appear just to make sure we get the right IP number in our log. ** I have three question related to this: **Questions:** 1. **Do you see any other reason than the one I suggested why the IP number 127.0.0.1 appears? ** 2. ** Is there a better solution available than the one I suggested?** 3. **Is there a way, using an AWS API of some sort to get hold of the public IP for the server?** Here's the code how we extract the private IP address in this context: ``` var hostName = System.Net.Dns.GetHostName(); var ipAddresses = System.Net.Dns.GetHostAddresses(hostName); var ipv4Address = ipAddresses.FirstOrDefault(ip => ip.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork); ```

Hi folks i bought a domain from route 53 (jeevanresume.link) how to activate it

I try to authenticate end-users of my application at ELB level by using Cognito provided feature. I first deployed all my resources in eu-west-1 and works perfectly. When trying to do the same in eu-west-1, CloudFormation sent me an error: ``` Resource handler returned message: "Invalid request provided: AWS::ElasticLoadBalancingV2::ListenerRule Validation exception" ``` Also see a trace in Cloud Trail (partial copy) ``` "eventTime": "2022-04-11T13:47:08Z", "eventSource": "elasticloadbalancing.amazonaws.com", "eventName": "CreateRule", "awsRegion": "eu-west-3", "sourceIPAddress": "cloudformation.amazonaws.com", "userAgent": "cloudformation.amazonaws.com", "errorCode": "ValidationException", "errorMessage": "Action type 'authenticate-cognito' must be one of 'redirect,fixed-response,forward,authenticate-oidc'" ``` I suspect that this feature is not yet available in eu-west-3, but can't find an official answer (which region supports this feature). Thanks for your help

Quite sure this has been answered in previous forums, Do ELB IP (classic/alb not NLB) change over time? If it does change, does it change for all AZs that I have enabled load balancer to?

Hello, we're running an application with the following setup: ALB -> TargetGroup -> ECS service The ECS service is running on Fargate and it is a web-server. The ALB timeout is set to 20 seconds, and the Service's idle timeout is set to 120 seconds. We've confirmed that the ECS service keeps connections open for at least 120 seconds. We've also configured request logging on this ALB and we've been querying it with Athena. However, it seems like the ALB still issues 504s to some requests immediately, we regularly see log entries like these: ``` # type time elb client_ip client_port target_ip target_port request_processing_time target_processing_time response_processing_time elb_status_code target_status_code received_bytes sent_bytes request_verb request_url request_proto user_agent ssl_cipher ssl_protocol target_group_arn trace_id domain_name chosen_cert_arn matched_rule_priority request_creation_time actions_executed redirect_url lambda_error_reason target_port_list target_status_code_list classification classification_reason 1 h2 2022-04-05T12:29:35.833859Z app/ProdV2PublicApi/0a57bb243c2024e7 REDACTED 60232 10.42.17.243 18000 0.001 -1.0 -1.0 504 - 307 202 PUT https://apibeta.centralapp.com:443/api/v2/inbox/table-booking/request-status?urn=urn%3Acentralapp%3Acompany%3A9211291968452165724 HTTP/2.0 Mozilla/5.0 (Windows NT 6.0; rv:52.0) Gecko/20100101 Firefox/52.0 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:eu-west-1:899041400740:targetgroup/ProdV2-Quasar-ECS/3ee8cde1808fdb22 Root=1-624c35f3-5852eff9590d1fd5285bc6e7 apibeta.centralapp.com arn:aws:acm:eu-west-1:899041400740:certificate/7f1122d9-2470-46d6-b28b-53a48c99bdd1 5 2022-04-05T12:28:35.831000Z waf,forward - - 10.42.17.243:18000 - - - ``` From the backend logs, it seems to us that the request never really gets to the ECS service, or from the ECS service's standpoint, the connection gets prematurely terminated by the ALB. For the premature termination, we see logs in our backend like these: ``` [CRITICAL] [05/Apr/2022:10:18:47 +0000] ["Quasar/###WARP###"] Exception on request:Just Request { requestMethod = "POST" , httpVersion = HTTP/1.1 , rawPathInfo = "/api/v2/distributor/companies/d-sales/leads" , rawQueryString = "?id=centralapp_saas&page=0" , requestHeaders = [ ( "X-Forwarded-For" , "217.111.215.151" ) , ( "x-amzn-tls-version" , "TLSv1.2" ) , ( "x-amzn-tls-cipher-suite" , "ECDHE-RSA-AES128-GCM-SHA256" ) , ( "X-Forwarded-Proto" , "https" ) , ( "X-Forwarded-Port" , "443" ) , ( "Host" , "apibeta.centralapp.com" ) , ( "X-Amzn-Trace-Id" , "Root=1-624c1784-223215ba597701b31758046f" ) , ( "Content-Length" , "40" ) , ( "sec-ch-ua" , "" Not A;Brand";v="99", "Chromium";v="99", "Google Chrome";v="99"" ) , ( "content-type" , "application/json; charset=UTF-8" ) , ( "sec-ch-ua-mobile" , "?0" ) , ( "user-agent" , "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36" ) , ( "sec-ch-ua-platform" , ""macOS"" ) , ( "accept" , "*/*" ) , ( "origin" , "https://beta.centralapp.com" ) , ( "sec-fetch-site" , "same-site" ) , ( "sec-fetch-mode" , "cors" ) , ( "sec-fetch-dest" , "empty" ) , ( "referer" , "https://beta.centralapp.com/" ) , ( "accept-encoding" , "gzip, deflate, br" ) , ( "accept-language" , "fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7" ) , ( "x-amzn-waf-name" , "ACL_Public_Resources_Default" ) ] , isSecure = False , remoteHost = 10.42.17.44:12692 , pathInfo = [ "api" , "v2" , "distributor" , "companies" , "d-sales" , "leads" ] , queryString = [ ( "id" , Just "centralapp_saas" ) , ( "page" , Just "0" ) ] , requestBody = <IO ByteString> , vault = <Vault> , requestBodyLength = KnownLength 40 , requestHeaderHost = Just "apibeta.centralapp.com" , requestHeaderRange = Nothing } Exception was:Warp: Client closed connection prematurely ``` We've also tried setting things up without an ALB and we've not been able to reproduce this issue locally, so we're pretty suspicious of what the ALB is doing here. What should be our next course of action on this issue? We're also noticing that the ALB tries to keep some connections open longer than the timeout: ``` [DEBUG] [05/Apr/2022:12:58:32 +0000] ["Quasar/###WARP###"] Socket: 10.42.17.105:39070 was open for: 90.897913261s [DEBUG] [05/Apr/2022:12:58:35 +0000] ["Quasar/###WARP###"] Socket: 10.42.2.83:56654 was open for: 107.734655922s [DEBUG] [05/Apr/2022:12:58:38 +0000] ["Quasar/###WARP###"] Socket: 10.42.2.83:56552 was open for: 129.749085682s [DEBUG] [05/Apr/2022:13:14:17 +0000] ["Quasar/###WARP###"] Socket: 10.42.17.105:41128 was open for: 625.691958838s ``` Why?

Hello, As a first ELB/Listerner rule in front of our web servers, I set up the following: IF: Http header name user-agent is *Ahrefs* THEN: Return fixed response 403 For whatever reason, the rule is simply ignored and our servers continue being loaded by unwanted Ahrefs bots. Is it because there are 2 wildcards in the value match or do I miss something? I however found an example if AWS documentation where ir looks to be authorized: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html. Many thanks in advance for any help.

I know ALB can be configured to just pass-through the packet without TLS offloading. In that case, because payload is encrypted, then ALB only get limited access to the payload to do any dynamic routing (content based sticky session, etc). My question is, in this case, is there any difference if I use a NLB without TLS offloading? Does ALB without TLS Offloading functionally the same as NLB without TLS Offloading?

I deployed a Docker service on Lightsail. It works fine for requests that can be processed quickly but times out (gateway timeout, code 504) for requests that take a bit longer to process. What is the timeout limit on Lightsail Container instances and can I increase it? Thank you.

The context is enabling authenticated and authorized access to Kubernetes Dashboard in an AWS EKS instance via an AWS ALB configured with OIDC authenticate. The Kubernetes Dashboard is being protected by an AWS ELBv2 load balancer. It is created and configured by Ingress resource and the ALB Controller v2 (v2.2.3). This works. FWIW: We are Azure AD as the IdP. We are also using the OIDC Provider configuration on the Kubernetes (EKS) API. We are successfully using OIDC authenticated access from kubectl to access the API and apply RBAC. We are using ClusterRoleBinding to test with Cluster Admin users. Authentication works. However, the Kubernetes Dashboard still presents its internal token challenge page, because it does not get the Access Token, because the ALB removed it and put it in the ```X-AMZN-OIDC-*``` header. We had some success with: ``` alb.ingress.kubernetes.io/configuration-snippet: auth_request_set $token $upstream_http_authorization; proxy_set_header Authorization $token; proxy_pass_header Authorization; ``` Is this the best way to do this? Is there a better way to configure the ALB to attach the Access Token it obtained from the IdP's token endpoint as an ```Authorization: Bearer <token>```, rather than in a separate header?

Hi All, I have a situation, where the service A (spring cloud application on Tomcat) to be deployed on EC2 (auto scaling group) using CHEF (deployment time ~10 mins). The servers are behind the NLB (cross zone load balancing enabled, sticky session disabled). Now the issue is, as soon as a server is brought in-service, the NLB passes the health check before the CHEF build completes; which means, the target becomes healthy but the service A deployment still in progress. This is causing an issue to other service B (running on different EC2 on diff ASG) which is trying to connect to service A. The Service B connection to service A fails if the request from NLB landed on the EC2 of service A in question. Since there is no option with TCP health check to set the health check path, one of the root causes I could think of is, as soon as Tomcat gets deployed, the NLB gets the health check response, which is sufficient to make the target healthy, whereas the service is still getting deployed on tomcat. Is there a way to handle this situation? Except replacing NLB with ALB. (*PS: application uses Spring Cloud Netflix patterns - Eureka, Config, zuul etc)

An account is planing to configure CloudFront to house a large number of custom domains and terminate traffic to the CloudFront origin with a single CLB. To be a little more specific, the configuration will be as follows; Before: client -> CLB After: client -> CF* -> CLB *CloudFront content caching is disabled in this scenario. In this case, is it correct that the number of requests to be charged for After scenario is roughly twice the total number of GET/HEAD requests recorded in the Before Scenario? ("request for client -> CF" + "request for CF -> CLB")

Our client would like us to take over Certificate Management for them now so they can be completely hands off in the management of the service we run for them. Our current process for cert renewal is to send the client a new CSR, import the new cert into ACM and update the ALB to use this new cert. I'd like to know what AWS infrastructure we'd need to configure / use to fully manage this for our client and request certificates for their actual domain of say xyz.com where they access the sites(s) we manage for them. Ideally we'd like ACM to be able to auto renew the certs and therefore keep the ALB updated with the certs. I know how to do this with our own domain hosted in Route53 but not with a third party domain. Do we need to setup the client domain in Route53, update the name servers to the clients as a first step or is there a much simpler way and we don't need Route53 at all? e.g. can I just request a cert in ACM and get the client to add the txt records and this will allow the auto renewal

Received email stating that SSL/TLS certificates in our AWS could not be renewed because email validations had not been received. I went to Load Balancer (EC2) -> Listeners -> view/edit certificates and can see the expiring certificates. However, when I click on the ACM link (next to each listed certificate), the Certificate Manager does NOT show any certificates. In fact, it shows the default page indicating that the account has no certificates. I double-checked that I am in the correct region. Is this a bug, or am I missing some other configuration step?

I am looking to write a rule for ELB that redirects to a certain host, if the Host Header does not match that host. The use case is trying to access to the underlying site using the IP address and not the domain name. I have it working if I manually do if HOST HEADER = {IP ADDRESS} but this isn't ideal as any time a new network interface is created or IP address updated I will need to update the rules. Is there a way to do != in the value for host header?

I have an ec2 instance of type t2.micro and I have a web service that communicates with services outside the server so it needs internet and I have noticed that internet connectivity is lost at least 1 time a month and I have to restart so that back to normal and I would like to solve that problem. It is worth mentioning that I have a load balancer for that server and a security certificate for my domain.

We have a springboot backend api running on elastic beanstalk. Our domain is on route53 and uses the Certificate Manager to run as https. To make an api request we send the request to a subdomain url (https://api.SomeWebsite.com ). In Route53 we direct that subdomain to an EC2 load balancer, which then points that at the beanstalk instance. Our beanstalk should be in http - we are using the LB as an SSL terminator. We have listeners for incoming traffic on the LB as: HTTP , Port 80 -> Redirect to HTTPS HTTPS, Port 443 -> Redirect to Target, HTTP, OurBeanstalkENV. I have triple checked that the https port points to the correct EB instance, and it does note http on the target selection. + The Issue: we keep getting either preflight failed due to no Access-Control-Allow-Origin (it's in the request header) or a timeout error error when make the requests. When we look at beanstalk logs, our springboot server has an error: java.lang.IllegalArgumentException: Invalid character found in method name... HTTP method names must be tokens... Based on this error Springboot is receiving http**S** requests, even though it should be receiving http via the load balancer. Does anyone know what could be wrong here?

Hi, I created an ALB with a target group pointing to one test webserver EC2 instance. Even though I enabled all 3 AZs in my region, if I lookup the ALB DNS name (*.elb.amazonaws.com), it always resolves to only one IP. Isn't it supposed to assign an IP per AZ and return all those three IPs for the DNS name of the ALB if I enable 3 AZs for the ALB? Or is it scaling down the AZs automatically due to currently low traffic or due to the fact that we have currently only one EC2 instance as target in the target group? (we are still in the development phase) Thanks.

I am trying to configure my ALB to allow TLS 1.3. I read the article that this feature is available with the security policy in bold below: https://aws.amazon.com/about-aws/whats-new/2021/10/aws-network-load-balancer-supports-tls-1-3/ ``` Elastic Load Balancing provides the following security policies for Network Load Balancers: ELBSecurityPolicy-TLS13-1-2-2021-06 ELBSecurityPolicy-TLS13-1-2-Res-2021-06 etc etc ``` The newest security policy I am offered is "ELBSecurityPolicy-FS-1-2-Res-2020-10" I may be missing a key concept with load balancers and Listener security policies and would appreciate any help. It's an Application Load Balancer, HTTPS/443 chosen as the only listener.

### My problem In order to test CLB to ALB migration, I set Route53 Weighted Routing at a ratio of 255 for CLB and 1 for ALB. After waiting for more than 5 minutes, no accesses flowed to ALB at all. ### my research I have configured ELB-A and ELB-B with Route53 Weighted Routing at a ratio of 1:1. I configured ELB-A to return 200 and ELB-B to return 503. I tested the connection using Curl. (Let's say the DNS name is `my-test.com`) ``` $ count=0; while true; do echo -n "${count} "; curl -sI my-test.com | grep HTTP | tee -a curl.log; sleep 1; count=`expr $count + 1`; done ``` The result was that requests were not switched at 50% probability, but switched by group. ``` $ uniq -c curl.log 1 HTTP/1.1 503 Service Temporarily Unavailable 94 HTTP/1.1 200 OK 46 HTTP/1.1 503 Service Temporarily Unavailable 43 HTTP/1.1 200 OK ``` ### My question - Doesn't it switch on a per-request basis? - Is the client machine's DNS cache functioning? - Am I correct in assuming that there is a 1/255 draw with one chance every 60 seconds for the DNS to be updated?

I created my presentation-tier ( Web layer) with 3 public subnets containing one EC2 each and use an internet facing ELB to distribute traffic to all of them. I also install Apache to all of the instances. The Elb healthcheck is healthy and so far everything is working. On my Application layer, I created 3 private subnets containing one EC2 each and use an internal facing ALB to distribute traffic to all of them. My Alb receives traffic only from my Web-servers, and I installed Wordpress on all 3 of them ( The script to install Wordpress also include Apache and MySQL). The Alb HealthCheck says that healthcheck failed and the reason being " unhealthy threshold 2 consecutive health check failures". I also created a NAT gateway for these application-servers. I created my dababase on the batabase-layer with its security group that allow traffic only from App-servers through port 3306. From my understanding of a 3-tier architecture, they are all connected to one another through the security group and even the route table. Since I can use session manager to connect to all my Web-servers and App-servers, I would like to believe that my security groups ports are "ok". Here is their flow: INTERNET-->Internet facing ELB-SG-->Web-SG--> Internal facing ALB-SG-->App-SG-->DB-SG. The flow is unsecure using Http (80). 1-How do I troubleshoot "Unhealthy threshold 2 consecutive health check failures?" 2- How do I built my application so that it will be accessible using only the DNS name of the Internet facing ELB?

Apparently, my EC2 instance can’t access the internet properly. Here is what happens when I try to install a Python module: `[ec2-user@ip-172-31-90-31 ~]$ pip3 install flask` `Defaulting to user installation because normal site-packages is not writeable` `WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7fab198cbe10>: Failed to establish a new connection: [Errno 101] Network is unreachable')': /simple/flask/` etc. Besides, inbound ping requests to instances the Elastic IP fail (Request Timed Out). However, the website that is hosted on the same EC2 instance can be accessed using both http and https. The security group is configured as follows: the inbound rules are | Port range | Protocol | Source | | -------- | -------- | ---- | | 80 | TCP |0.0.0.0/0 | | 22 | TCP |0.0.0.0/0 | | 80 | TCP |::/0 | | 22 | TCP |::/0 | | 443 | TCP |0.0.0.0/0 | | 443 | TCP |::/0 | the outbound rules are | IP Version | Type | Protocol | Port range | Source | | ----------- | --------- | -------- | ------- | ------ | | IPv4 | All traffic | All | All | 0.0.0.0/0 | The ACL inbound rules are: | Type | Protocol | Port range | Source | Allow/Deny | | -------- | -------- | ---- | -------- | ---------- | | HTTP (80) | TCP (6) | 80 |0.0.0.0/0 | Allow | | SSH (22) | TCP (6) | 22 |0.0.0.0/0 | Allow | | HTTPS (443)| TCP (6) | 443 |0.0.0.0/0 | Allow | | All ICMP - IPv4 | ICMP (1) | All | 0.0.0.0/0 | Allow | | All trafic | All | All |0.0.0.0/0 | Deny | and the outbound rules are: | Type | Protocol | Port range | Source | Allow/Deny | | -------- | -------- | ------- | -------- | ---------- | | Custom TCP | TCP (6) | 1024 - 65535 | 0.0.0.0/0 | Allow | | HTTP (80) | TCP (6) | 80 |0.0.0.0/0 | Allow | | SSH (22) | TCP (6) | 22 |0.0.0.0/0 | Allow | | HTTPS (443) | TCP (6) | 443 |0.0.0.0/0 | Allow | |All ICMP - IPv4 | ICMP (1) | All | 0.0.0.0/0 | Allow | | All trafic | All | All |0.0.0.0/0 | Deny | This is what the route table associated with the subnet looks like: | Destination | Target | Status | Propagated | | ---------- | -------- | -------- | ---------- | | 172.31.0.0/16 | local | Active | No | | 0.0.0.0/0 | igw-09b554e4da387238c | Active | No | (no explicit or edge associations). As for the firewall, executing `sudo iptables –L` results in `Chain INPUT (policy ACCEPT)` `target prot opt source destination` `Chain FORWARD (policy ACCEPT)` `target prot opt source destination` `Chain OUTPUT (policy ACCEPT)` `target prot opt source destination` and `sudo iptables -L -t nat` gives `Chain PREROUTING (policy ACCEPT)` `target prot opt source destination` `Chain INPUT (policy ACCEPT)` `target prot opt source destination` `Chain OUTPUT (policy ACCEPT)` `target prot opt source destination` `Chain POSTROUTING (policy ACCEPT)` `target prot opt source destination` What am I missing here? Any suggestions or ideas on this would be greatly appreciated. Thanks

I used the Launch ALB Migration Wizard. The change is that the number of ports in the routing tab has been reduced from 2 to 1. (The relevant information is attached to the link.) [link image](https://ibb.co/q1ff1rj) If it is set to one, a 504 gateway timeout error occurs. Is there a way to set two routing ports during migration?

Currently, we use docker-compose and .ebextensions to update elastic load balancer security group. However now I have requirement to apply different security groups for different environment. How do I add the condition to elbsg.config ? Below is my current elbsg.config ``` option_settings: aws:elb:loadbalancer: ManagedSecurityGroup: "sg-xxxxxx" SecurityGroups: "sg-xxxxx" aws:elbv2:loadbalancer: ManagedSecurityGroup: "sg-x"xxxx SecurityGroups: "sg-xxxxx" ``` Wondering if the normal yaml condition would works or there is a separate syntax for elbsg.config to work ?

Hi, I would expose the same SFTP (Transfer Family) endpoint (deployed in service mode, not into a VPC) under different domains to share the capabilities. It seems the component controls its proper declaration into an hosted zone (based on the given domain), meaning it could not be associated to several domains. If I want to share a SFTP server, I have to deploy it into a VPC, behind a NLB and target the NLB from the different zones. Am I right? Thanks in advance

Hi. I've noticed that the WAF **AWSManagedRulesCommonRuleSet** is **BLOCKING** (or COUNTING) legitimate requests because it matches the value of the **Elastic Load Balancer** cookie ("AWSALBTG") as a **false positive** matched by the rule **CrossSiteScripting_COOKIE** This is an example request that I extracted from WAF cloudwatch logs (only the relevant info): ``` httpRequest.headers.13.name: cookie httpRequest.headers.13.value: AWSALBTG=0naHdSsqK2TVnPXcAgo8cGqiA0X1v/4rqyWrE/OsL7eubnXAm8tJRmtFzcv5XbAmDVq6UpKw2ZY0BHcOMwuQLRh7lU3TMoHbHnA00gY2R+yG/4vtzy2meQptVHelSdfnAPR5heRTALuqaHUf/oNyw1kZibZHTTkzpONuiJZkpUIr2pVVqsQ=; AWSALBTGCORS=0naHdSsqK2TVnPXcAgo8cGqiA0X1v/4rqyWrE/OsL7eubnXAm8tJRmtFzcv5XbAmDVq6UpKw2ZY0BHcOMwuQLRh7lU3TMoHbHnA00gY2R+yG/4vtzy2meQptVHelSdfnAPR5heRTALuqaHUf/oNyw1kZibZHTTkzpONuiJZkpUIr2pVVqsQ=; AWSALB=zyyDqgOFJzOv2HVSswKA0mw8yNNjHrAyJkhe7SRNFzOJSD6jFX6+5/T8ELUvvHIYeKW0XuxPDTBTG0gZO3d2FSCohf1jHsk2mDmTkoOh7BZCQKTmtJn4X4jbDDjL; ..... nonTerminatingMatchingRules.0.action: COUNT nonTerminatingMatchingRules.0.ruleId: AWS-AWSManagedRulesCommonRuleSet nonTerminatingMatchingRules.0.ruleMatchDetails.0.conditionType: XSS nonTerminatingMatchingRules.0.ruleMatchDetails.0.location: HEADER nonTerminatingMatchingRules.0.ruleMatchDetails.0.matchedData.0: oNyw1kZibZHTTkzpONuiJZkpUIr2pVVqsQ nonTerminatingMatchingRules.0.ruleMatchDetails.0.matchedData.1: ; ``` As you can see, the "**matchedData**" field contains a string ("oNyw1kZibZHTTkzpONuiJZkpUIr2pVVqsQ") that is inside the AWSALBTG cookie value generated by the ELB. This means that currently we can't use WAF and ELB together because it is blocking legitimate requests because of the ELB cookie. Am I correct or missing something? Is there any way to avoid this?

What is the best Elastic Load Balancing kind to use with IIOP (Internet Inter-ORB Protocol)? In my specific case, port 3528 is used on the server for IIOP calls;

Hi, I configured SSL offload on Elastic Load Balancer using a certificate from AWS Certificate Manager. The HTTPS listener is configured as follows: the default action is forwarding to Group Instances HTTPS, and the default SSL certificate is (as Edit Listener indicates) the correct one issued by ACM for a domain name I registered using AWS. In Route 53 Hosted Zones, I created an A-type record with my Public IPv4 address (which is an Elastic IP) as a value. However, when I try to connect to my domain via https, I get the error message ERR_CERT_AUTHORITY_INVALID, and Chrome’s Developer tools > Security > View Certificate displays Issued to: ip-172-31-90-31.ec2.internal Issued by: ip-172-31-90-31.ec2.internal, that is my Private IPv4 DNS in both cases -- instead of my domain name (for Issued to) and Amazon (for Issued by). I also tried pointing the A record to the ALB instead of my public IPv4 (as suggested at https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html). Unfortunately, after that browsers couldn't connect to the domain at all (the error message: <domain_name> took too long to respond). I am wondering what could cause that. Could it result from some misconfiguration of my Apache server? If so, how could I fix that? Thanks

Hello community, I cannot seem to find the answer for my current problem. The setup is that I have a number of wildfly server running connecting to an NLB where 2 instances of pgBouncer are running. We recently had a traffic spike and I noticed that one of the 2 pgBouncer instances had a lot more "packages out" than the other (10x more). From that point it seems that the second instance was almost not hit at all. The postgres in the background seems to confirm this as the maximum number of connections was as high as configured by a single pgBouncer instance and the second did not seem to establish any connection. (or only very few) The pgBouncer are working fine, my suspicion is the NLB. I read about long lasting connections leading to problems in the load distribution. Is the NLB the correct Load balancer for this scenario or should we move to the ALB? Is there anything I could configure/test for this scenario? I do not know where I even should start investing the issue further. Thanks!

I have a client's requirement to use static public ip's for our applications, instead the ALB dynamic ip's. For this escenario we have an NLB with EIP as static ip and is usingALB as a target of NLB. For testing purposes, we create a EC2 with a simple apache, NLB and ALB has listeners on port 80 and everything its working, we can use de DNS name in a browser and we have the apache Welcome page. But, if we tried to use https its not working. For this last escenario we have the following configuration: * NLB: * Listener on TCP 443 * ALB as a target group for NLB * AZ's matches between NLB and ALB * NLB is internet-facing * ALB * Listener on https * Certificate configuration using aws certificate manager * Rule to target by default Apaches EC2 * ALB is internal We test the ALB with telnet and curl from another EC2 instance and is responding with the two commands, but when we used the NLB dns name, nothing happend. We used the same subnets an AZ from the escenario with the port 80, what are we missing? Best regards

We have a SignalR javascript client connecting to .net core hub, hosted in AWS. Both client and server use version 6. More than one backend server may exist, so there is an internet facing Network Load Balancer forwarding the traffic to the backend servers. The NLB is configured with these options: - Stickiness - Preserve client IP addresses Most of the time, everything works great: the negotiation and the connection upgrade. Sometimes, however, something strange happens: the negotiation fails (error in WebSocket transport), then the client tries again with another transport (SSE). This transport also fails and, while retrying, the client hits the other host, starting the negotiation again. Finally, the connection succeeds. All this process takes no more than 5 seconds. This was happening in our clients, from outside, so we set up an isolated environment to debug this situation, with the NLB and 2 backend hosts. This is internal, so no one else is connecting, for sure, so there is no chance hosts are overloaded. We are completely sure our IP does not change while the test is being done. We enabled client and server debug logs, shown below. This still happens sometimes, no matter the host that we hit on the first attempt. We know that we can configure the client to skip the negotiation, but that will make us lose about 10% of our clients, because we will be limited to use the WebSockets transport. From the logs, IP stickiness seems to be failing somehow... What is misconfigured in our setup? How can the negotiation fail if just one client is connecting and the IP does not change? What else can we configure in the AWS NLB to ensure the IP stickiness? Thanks in advance! **When the connection succeeds at the first attempt** ``` Client logs Debug: Starting connection with transfer format 'Text'. Debug: Sending negotiation request: https://<server>... Debug: Selecting transport 'WebSockets'. Trace: (WebSockets transport) Connecting. Information: WebSocket connected to wss://<server>... Debug: The HttpConnection connected successfully. Server logs [DBG] New connection r3Gv5PrBgTA2T6lijqwTrA created. [DBG] Sending negotiation response. [DBG] Establishing new connection. [DBG] Socket opened using Sub-Protocol: 'null'. [DBG] OnConnectedAsync started. [DBG] Found protocol implementation for requested protocol: json. [DBG] Completed connection handshake. Using HubProtocol 'json'. ``` **When the connection fails at the first attempt** ``` Client logs Debug: Starting connection with transfer format 'Text'. Debug: Sending negotiation request: https://<server>... Debug: Selecting transport 'WebSockets'. Trace: (WebSockets transport) Connecting. WebSocket connection to 'wss://<server>...' failed: Information: (WebSockets transport) There was an error with the transport. Error: Failed to start the transport 'WebSockets': Error: WebSocket failed to connect. The connection could not be found on the server, either the endpoint may not be a SignalR endpoint, the connection ID is not present on the server, or there is a proxy blocking WebSockets. If you have multiple servers check that sticky sessions are enabled. Debug: Selecting transport 'ServerSentEvents'. Debug: Sending negotiation request: https://<server>... Trace: (SSE transport) Connecting. Information: SSE connected to https://<server>... Debug: The HttpConnection connected successfully. Trace: (SSE transport) sending data. String data of length 32. POST https://<server>... 404 (Not Found) Debug: HttpConnection.stopConnection(undefined) called while in state Disconnecting. Error: Connection disconnected with error 'Error: No Connection with that ID: Status code '404''. Debug: Starting connection with transfer format 'Text'. Debug: Sending negotiation request: https://<server>... Debug: Selecting transport 'WebSockets'. Trace: (WebSockets transport) Connecting. Information: WebSocket connected to wss://<server>... Debug: The HttpConnection connected successfully. Server logs (server 1) [DBG] New connection _cm5IaOtqY7tD7suKOb08Q created. [DBG] Sending negotiation response. (1) [DBG] New connection GuXhVydEzL-8xXcSxibysA created. [DBG] Sending negotiation response. (2) [DBG] Establishing new connection. [DBG] OnConnectedAsync started. [DBG] Failed connection handshake. (server 2) [DBG] New connection RjoZW-BKBNMOa2UBW9yo-g created. [DBG] Sending negotiation response. [DBG] Establishing new connection. [DBG] Socket opened using Sub-Protocol: 'null'. [DBG] OnConnectedAsync started. [DBG] Found protocol implementation for requested protocol: json. [DBG] Completed connection handshake. Using HubProtocol 'json'. ```

Hi, I don't have a lot of experience with AWS. As a means to understand the tech let's assume the following theoretical use case: 1. University with 400,000 static files (html, images, js). Vendor hosted CMS generates the static files. 2. University needs to host these generated statics files and implement SSO (Shibboleth SP3) on separate server eg EC2 Amazon Linux 2. 3. Use GitHub for version control (team of 5 developers) and deploy to CodeDeploy from GitHub main branch 4. Use Load Balancers. ....From your experience of hosting large scale informational static websites is GitHub>CodeDeploy>EC2 a suitable option or should I be studying/considering other best practice AWS services? Starting out so any resources or direction appreciated. Thanks

I am using Elastic Beanstalk to deploy my docker container app, I want to route my custom domain to the web server but this domain is a root domain, so I cannot use CNAME, instead I have to use the IP addresses of the application load balancer. But the ALB IP addresses change over time, so I need a static IP address for routing. Currently I managed to do this by hosting a static IP address that redirects *mydomain.com* to *www.mydomain.com* and routing *www.mydomain.com* to the server via CNAME since it's not a root domain. This process is kinda complex. I wonder if there is any simpler method to realize this? Thanks.

We would like to use an EventBridge Rule to trigger a webhook for one of our internal applications. The problem is that it appears as if API Destinations can't connect to applications inside of our VPC. Our application is behind an internal ALB so it can't be connected to from the Internet. Is there some way for EventBridge to hit a HTTPS endpoint on an internal ALB?

I am using an infrastructure setup as described in the title. This setup is also somewhat shown in this picture: https://d2908q01vomqb2.cloudfront.net/1b6453892473a467d07372d45eb05abc2031647a/2021/02/04/5-CloudMap-example.png In the official AWS blog here: https://aws.amazon.com/blogs/compute/configuring-private-integrations-with-amazon-api-gateway-http-apis/ the following is stated about using such setup: > As AWS Cloud Map provides client-side service discovery, you can replace the load balancer with a service registry. Now, connections are routed directly to backend resources, instead of being proxied. This involves fewer components, making deployments safer and with less management, and reducing complexity. My question is simple: What load balancing algorithm does HTTP API GW use when distributing traffic to resources (the Fargate tasks) registered in a service registry? Is it round-robin just as it is with ALB? Only thing I was able to find is this: > For integrations with AWS Cloud Map, API Gateway uses DiscoverInstances to identify resources. You can use query parameters to target specific resources. The registered resources' attributes must include IP addresses and ports. API Gateway distributes requests across healthy resources that are returned from DiscoverInstances. https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-private.html#http-api-develop-integrations-private-Cloud-Map

I have deployed an EKS cluster with a node group using Terraform a little bit ago but now when I want to delete it, I get the error "Cannot delete because cluster my-cluster currently has an update in progress" There is no update in progress from what I can tell, meaning that there is no update to stop and no way to delete my cluster now. Both Terraform and the AWS console show the same error and I have no idea how to delete it. There are no more nodes, autoscalers, load balancers, network interfaces or even a VPC associated with the cluster anymore. The cluster shows up as "Active". I did perform updates on the cluster without syncing Terraform though. The VPC-CNI needed updating and the node group version as well. Terraform had that synced before deleting, so that shouldn't've been an issue. How do I delete my cluster?

Hey re:Post community I got a question regarding how its supposed to be a setup. Recently I configure an FTDv Cisco firewall in AWS, which is working for any Outbound traffic from my VPC, but heres something Im not sure exactly how its done. I got an SFTP Server in my VPC which I need to send files too from the internet, but instead of assigning a Public Address like AWS does already, I want that Inbound traffic to go through my FTDv Firewall. However as far as Im reading you can only have 1 EIP per Interface, so I have no way to do the NAT on the FTDv if I only have the EIP of the outside interface. Is there a way to do this like have a pool of addresses assigned to the FTDv so I can use IPs from that pool to configure NATs for my SFTP Servers Inbound traffic? Thanks in Advance!

Hi, I am currently trying to set up an ec2 instance with Application load Balancer however I'm getting a 504 gateway time-out error. I have enabled apache keep alive settings with a greater number than the timeout setting of the ALB, just as indicated from AWS Doc. However the issue is persistent. I have checked that I'm using the same Security group which I am. The Listeners in my ALB are set to only the HTTPS and forwarded to my target group.When i visit the target group the health status details says " health checks failed ". What else can I check please ?

I'm running my websites in EC2 instance under the NLB [e.g. User (port/443) -> NLB (SSL offload) -> Auto SG -> EC2] On the LB, when I add a listener [e.g. port/80] then automatically my EC2 instance is not reachable from NLB to EC2. Even, if I revert back to the added port/80, still it is not reachable of the EC2 instance. however, I can access the EC2 instance with SSH and there are no issues at all. Even, If I terminate the EC2 instance and my Auto SG will create a new EC2 instance, but still not reachable via the NLTB So, what I'm doing here to make it reachable via NLB all way to the EC2 instance as follows; I'll terminate the EC2 instance and wait for a while to auto-create by Auto Scaling Group and then check whether it is reachable or not. If not reachable, do it again to terminate the process of the EC2 instance. So is there any workaround for this instead of keeping on terminating the EC2 instance?

Centuries ago there lived-- "A king!" my little readers will say immediately. No, children, you are mistaken. Once upon a time there was a piece of wood. It was not an expensive piece of wood. Far from it. Just a common block of firewood, one of those thick, solid logs that are put on the fire in winter to make cold rooms cozy and warm. I do not know how this really happened, yet the fact remains that one fine day this piece of wood found itself in the shop of an old carpenter. His real name was Mastro Antonio, but everyone called him Mastro Cherry, for the tip of his nose was so round and red and shiny that it looked like a ripe cherry. As soon as he saw that piece of wood, Mastro Cherry was filled with joy. Rubbing his hands together happily, he mumbled half to himself: "This has come in the nick of time. I shall use it to make the leg of a table." He grasped the hatchet quickly to peel off the bark and shape the wood. But as he was about to give it the first blow, he stood still with arm uplifted, for he had heard a wee, little voice say in a beseeching tone: "Please be careful! Do not hit me so hard!" What a look of surprise shone on Mastro Cherry's face! His funny face became still funnier. He turned frightened eyes about the room to find out where that wee, little voice had come from and he saw no one! He looked under the bench--no one! He peeped inside the closet--no one! He searched among the shavings--no one! He opened the door to look up and down the street--and still no one! "Oh, I see!" he then said, laughing and scratching his Wig. "It can easily be seen that I only thought I heard the tiny voice say the words! Well, well--to work once more." He struck a most solemn blow upon the piece of wood. "Oh, oh! You hurt!" cried the same far-away little voice. Mastro Cherry grew dumb, his eyes popped out of his head, his mouth opened wide, and his tongue hung down on his chin. As soon as he regained the use of his senses, he said, trembling and stuttering from fright: "Where did that voice come from, when there is no one around? Might it be that this piece of wood has learned to weep and cry like a child? I can hardly believe it. Here it is--a piece of common firewood, good only to burn in the stove, the same as any other. Yet--might someone be hidden in it? If so, the worse for him. I'll fix him!" With these words, he grabbed the log with both hands and started to knock it about unmercifully. He threw it to the floor, against the walls of the room, and even up to the ceiling. He listened for the tiny voice to moan and cry. He waited two minutes--nothing; five minutes--nothing; ten minutes--nothing. "Oh, I see," he said, trying bravely to laugh and ruffling up his wig with his hand. "It can easily be seen I only imagined I heard the tiny voice! Well, well--to work once more!" The poor fellow was scared half to death, so he tried to sing a gay song in order to gain courage. He set aside the hatchet and picked up the plane to make the wood smooth and even, but as he drew it to and fro, he heard the same tiny voice. This time it giggled as it spoke: "Stop it! Oh, stop it! Ha, ha, ha! You tickle my stomach." This time poor Mastro Cherry fell as if shot. When he opened his eyes, he found himself sitting on the floor. His face had changed; fright had turned even the tip of his nose from red to deepest purple.

We have a quite simple webapp infrastructure: 2 backend EC2 in a target group, internet facing ALB and CloudFront. Session stickiness is turned on on the target group. When we have only one default behavior with Managed-CachingDisabled and Managed-AllViewer policies session stickiness is fine. Obviously this doesn't cache anything. When I add a new behavior to cache resources in media folder session stickiness doesn't work any more. This policy uses one query string param in cache key, otherwise it is like Managed-CachingOptimized both CF and ALB on HTTPS, same SSL cert installed on both. I don't really understand why stickiness stops working even if we have AWSALB cookie on cached items too. Please let me know if you need any other details.

** Background** Hello. I spent 2 days solving my problem, reading AWS docs and articles on different sites without any luck. I have EC2 instance which is connected to Application Load Balancer(ALB) with HTTP listener, and I use Autoscaling Group(ASG) for this ALB. I'm trying to set the lowest latency as possible between Target Group(TG) healthcheck status "unhealthy" and new ready running instance, running by ASG. Instance start up from "Golden Copy" AMI and it come ready in 60 seconds. My settings for TG are next: ``` Health Check Interval Seconds: 10 Health Check Timeout Seconds: 6 Healthy Threshold Count: 3 Unhealthy Threshold Count: 3 Deregistration Delay: 0 ``` So, I connect with ssh to instance, make some changes in web server config to forcefully respond with 404 status for health check. Health status on TG changes to "unhealthy" in approximately 15-20 seconds. **Problem** The problem is that it takes 80-90 seconds for Health status to be changed to "unhealthy" in ASG, on Instance management page. And ASG triggers instance replacement only in 80-90 seconds, which is too much. **Question** How to decrease latency between TG health status and ASG health status?

I'm using the AWS console to create an ECS service (using fargate) in an existing cluster. In the second step of the wizard (configure network) I choose an existing application load balancer. The "container to load-balance" section shows my container to add. When I click "add to load balancer" it initially shows the "production listener port" and "target group name" dropdowns showing "create new". When I select an existing target group in the dropdown this grays out (disables) the "production listener port" dropdown. When clicking the "next step" button validation complains the "production listener port" is not filled in (validation message: "please select a listener"). Which isn't possible because the control is disabled. First selecting a listener port in the wizard and switching to an existing target group after that doesn't remedy the situation as choosing an existing target group blanks out and disables the "production listener port" dropdown causing the same problem when clicking the "next step" button. How to get the container to register in an existing target group? **Update** The target group is an empty IP address group. Interestingly it does work if the target group is not empty (the "production listener port" is then filled with 443:HTTPS) but an empty target group (even of the correct type) clears the "production listener port". **Reproduction** 1. Create a new target group of type "IP address" leaving other default settings. Do not register any targets in this group. 2. Next add this target group to a (new or existing) load balancer (for testing I added the group to an existing load balancer with a single source IP address filter e.g. 192.168.1.1/32 so it doesn't disrupt normal operations). 3. When creating a new ECS service select a task definition that has a container with an exposed port 80. 4. On the second screen "Configure Network" choose the VPC and subnets and under "Load balancing" pick "Application load balancer". 5. Select the load balancer to which you added the empty target group. 6. Now click "Add to load balancer" next to the container. This shows the "Production listener port" and "Target group name" dropdowns both initially set to "Create new". 7. Choosing the empty target group disables the "Production listener port" dropdown and clears it. 8. If the target group is not empty the "Production listener port" is automatically filled with the correct port.

Hi guys, I have a question regarding to NAT instance. Here is what I am trying to do: I have a VPN tunnel setup between my home environment and AWS. I want to use NAT gateway to route traffic depending on IP address and port number. In example: If traffic from my site to AWS comes to address 1.1.1.1 (public) on port 22 it should go to NAT instance and NAT instance should send it to 192.168.1.1 (private address). If traffic from my site to AWS comes to address 1.1.1.1 (public) on port 23 it should go to NAT instance and NAT instance should send it to 192.168.1.2 (private address). If traffic from my site to AWS comes to address 1.1.1.2 (public) on port 22 it should go to NAT instance and NAT instance should send it to 192.168.1.4 (private address). Is this doable with a NAT instance? I do know that ports forwarding definitely is, how about IP?

Hi everyone, im kinda new on aws so i'm sorry if what i'm about to ask is trivial. I have successfully created a beanstalk environment with a public load balancer to which I can connect pubblicy both through the beanstalk url and through the load balancer url in http and https. I would now like to connect everything to cloudfront but when I try to add the origin domain I don't see the load balancer created in the list, but only the S3 beanstalk create for logging. the services are all in the eu-south-1 region. what i dont undestand is why if i create a load balance in any other region it seems cloudfront see it immediately. Is there some kind of limitation on the region eu-south-1 for load balancer or am i doing something wrong? What could be the causes? Thanks for support Kind Regards

Hi All, I am currently understanding the basics of ECS Auto Scaling and am confused how many load balancers of what schemes ("internal" or "internet-facing") are required to create a cluster which is ASG aware using capacity provider. If I have configured a load balancer in service (scheme-'internet facing' with target group 'IP address'), Do I need to configure a load balancer in Auto Scaling Group? If Yes, then of what schemeand target group? My understanding though not tested is when both the load balancers are configured, the LB of ASG, let's say ASG-LB, will be 'internet-facing' with target group of 'instances'. The LB of Service, let's say S-LB, will be 'internal' with target group of 'IP Address'. When a request is send to the cluster, ASG-LB will direct the request of a particular instance depending on the traffic and S-LB will direct the request to a particular task inside of that instance. I would like to know whether I am correct? If not, then please help me understand how the traffic is routed in the cluster with this two load balancers? Thanks, Priyam Mehta

There's requirements that we need to use ALB in front for path fwd+rewrite at the same time, We expect to use same fqdn, and use path to separate environment for dev, uat, and prod. For Example: app.com/dev/service1 -> Rewrite to -> service1.app.dev-aws-sg.domain.com/service1 app.com/uat/service1 -> Rewrite to -> service1.app.uat-aws-sg.domain.com/service1 app.com/prod/service1 -> Rewrite to -> service1.prod.dev-aws-sg.domain.com/service1 What should be the good approach for this specific scenario. Thank you in advanced.

Hello everyone, I am a junior front end developer and I am trying to solve the redirect from HTTP to HTTPS on Classic Load Balancer of my angular universal app. Unfortunately my level of knowledge does not allow me to use nginx ( https://aws.amazon.com/it/premiumsupport/knowledge-center/redirect-http-https-elb/ ) , and about node.js (https://gist.github.com/hareeqi/dcc0d409db57668294a7f0d8970aa1e4) I am at the beginning of the study and my knowledge is insufficient to solve the problem. Is there anyone who had the same problem and solved it by following other paths? Does anyone know specific tutorials or can help me by sharing some knowledge? Thanks

I'm trying to turn on ALB access logs conditionally using CloudFormation as follows: ``` LoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: !Join ['-', [!Ref 'AWS::StackName', ALB]] Type: application IpAddressType: !If [DoEnableIPv6Support, dualstack, ipv4] Scheme: internet-facing Subnets: - !Ref PublicSubnet1 - !Ref PublicSubnet2 - !Ref PublicSubnet3 - !Ref PublicSubnet4 - !Ref PublicSubnet5 - !Ref PublicSubnet6 SecurityGroups: - !Ref ALBSecurityGroup LoadBalancerAttributes: - Key: access_logs.s3.enabled Value: !If [EnableLoadBalancerAccessLogs, "true", "false"] - Key: access_logs.s3.bucket Value: !If [EnableLoadBalancerAccessLogs, !Ref AccessLogsBucket, ""] - Key: access_logs.s3.prefix Value: !If [EnableLoadBalancerAccessLogs, !Sub "${AWS::StackName}-ALB", ""] Tags: - Key: 'Stack' Value: !Ref 'AWS::StackName' ``` However, when `EnableLoadBalancerAccessLogs` is false, I'm running into this error: ``` The value of 'access_logs.s3.bucket' cannot be empty (Service: AmazonElasticLoadBalancing; Status Code: 400; Error Code: ValidationError; Request ID: REDACTED; Proxy: null) ``` The condition `EnableLoadBalancerAccessLogs` was defined as follows: ``` EnableLoadBalancerAccessLogs: !Not [!Equals [AccessLogsBucket, ""]] ``` I've also tried some potential workarounds for `LoadBalancerAttributes`, like ``` LoadBalancerAttributes: - Key: access_logs.s3.enabled Value: !If [EnableLoadBalancerAccessLogs, "true", "false"] - !If - EnableLoadBalancerAccessLogs - Key: access_logs.s3.bucket Value: !Ref AccessLogsBucket - !Ref AWS::NoValue - !If - EnableLoadBalancerAccessLogs - Key: access_logs.s3.prefix Value: !Sub "${AWS::StackName}-ALB" - !Ref AWS::NoValue ``` or ``` LoadBalancerAttributes: !If - EnableLoadBalancerAccessLogs - - Key: access_logs.s3.enabled Value: "true" - Key: access_logs.s3.bucket Value: !Ref AccessLogsBucket - Key: access_logs.s3.prefix Value: !Sub "${AWS::StackName}-ALB" - !Ref AWS::NoValue ``` but none of them worked. [CloudFormation docs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-loadbalancer-loadbalancerattributes.html) says > access_logs.s3.bucket - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket. Is this a bug in AWS API?

The University that I work for has its own DNS servers. They are older and need an IP address to point to for the zone apex record. DNS migration is not an option. We have a site in AWS Amplify. We want to use the Amplify website for our root domain, "example.edu". RFC 1034 says that the zone apex must be an A Record, and not a CNAME. According to the article at https://aws.amazon.com/blogs/networking-and-content-delivery/solving-dns-zone-apex-challenges-with-third-party-dns-providers-using-aws/, there are three options: Route53, Elastic IPs with EC2 instances, and Global Accelerator. Since we are using AWS Amplify, we can't do the EC2 option. The Route53 option won't work with our old DNS server, which only works with IP addresses. The third option is to use AWS Global Accelerator and an Application Load Balancer (ALB) which does a 301 redirect to our Cloudfront distribution that has the custom SSL cert for our Amplify instance. When we point our DNS at the IP associated with AWS Global Accelerator, the redirect is working, but the URL is showing the Cloudfront distribution instead of example.com. I was told that whitelisting the Host header would fix this, but it just returns a 403 error saying that the request could not be satisfied. I am not sure if I am on the right track and need some adjustment somewhere, or if I need to do something completely different.

Hello. via terraform I've created a stack with EKS. On EKS I did setup aws-load-balancer-ingress-conotroller and traefik. Before to destroy everything via terraform I didn't delete the 2 pods for my alb and traefik service. Doing so I'm not able to delete the eni created by these process. I'm root in my account and I run also the following command ``` aws ec2 detach-network-interface --attachment-id eni-attach-xxxxxxxx --force An error occurred (AuthFailure) when calling the DetachNetworkInterface operation: You do not have permission to access the specified resource. ``` Also I've a basic account, so I cannot contact the support in order to ask them to delete for me. Can please someone shed some light ? Thanks

I started using ELB (Network) but now the webpage of the server is no longer working. I added port 443 and 80 as listeners and even bought an SSL for the 443 TLS port but still nothing. The server's SSl cert is from lets encrypt. If I type the IP address of the server in the URL, it works but with the network load balancer, it does.t What can I do?

Hi, I use Elastic Beanstalk to deploy my node app, and I also use Codepipeline with github. Recently my website working super slow and Elastic Beanstalk Enhanced health overview is in Severe status. The causes are; ELB processes are not healthy on all instances. ELB health is failing or not available for all instances. Process default has been unhealthy for xx minutes (Target.Timeout). I googled this issue but I cant find any suitable solution. I changed the instance type, but still same problem. Also I delete everything and create again, but nothing changed. Please help me Thanks

Hello, with my billing Dashboard, I'm getting 0.5 dollars daily for usage of Ec2-ELB for two days, even without any declared loadbalancer or accessing to my account. How I can find the source of this consumption I looked in EC2 load balancer I don't find any ELB Can you please advise ?

Hi, We are having two microservices running in separate containers in ECS cluster, we are getting "connection reset" error in microservice when it tries to call another microservice over REST. We are using Elastic Load Balancer and we verified that idle timeout on ELB is sufficiently large. Does anyone faced this issue before? Any pointers will be helpful. Thank You in advance. Vishwas

I'm new to Cloud/DevOps stuff. I have dockerized a wordpress website where site runs on a one container and mysql db running on a different container. I have the code hosted on github. This I imagine to be a high volume website and I need to be highly available and horizontally scalling. Also I want the application to be in a pipeline so that when I make changes to the code, the updates get automatically pushed to the running website. I want to host the application on AWS. Being a student, I have little idea in setting this up on AWS. Could anyone help me or direct me to the right direction?

i have already set up loadBalance to my server but i can't access my server by using this address: https://arabbit.link/srch2021.html i can access http:/arabbit.link/srch2021.html it's hard to apply https to my server!!

Hi, I have created an Alias entry in Route53 for a hosted zone as an A record. The application can be accessed directly through ALB DNS Name and also if I prefix `dualstack.` in the DNS Name, but I can't access it through the DNS record. I have tried to investigate using `dig` and I get an NXDOMAIN status. Thanks in advance

The Global Accelerator currently does not support client IP preservation for Network Load Balancer endpoints. Is anyone aware of the reason behind this and if AWS plans to support it?

Is it possible to load balance (NLB) a storage gateway hosted on EC2 for high availability? Specifically, I am looking to see if its possible to deploy a File Storage Gateway on two EC2s in two AZs, connect them to a single file share in S3 and mount an NFS volume by pointing to an NLB which load balances the traffic to the two File Storage Gateways creating a single logical File Storage Gateway. See attached diagram for more info [image](https://d2w6lw9uck9fo7.cloudfront.net/image.png)

I am looking for ways to architect AWS Load Balancers (ELB/ALB) and API Gateway together. I want to authorize requests (e.g. using JWT) coming to my API service, which means incoming requests should first arrive to API Gateway for authorization. If the request is authorized, then the request is forwarded to a Load Balancer, which will allocate my request to an EC2 farm. API Gateway supports 10,000 requests per second. So in order to scale higher, I will need multiple API Gateways in a region. In this scenario I would need a load balancer to balance the requests among multiple API Gateways, right? So essentially a request needs to go through ELB/ALB -> API Gateway -> ELB/ALB before it gets to my EC2 instance to process the requests. That is 3 hops! Is there a better way to do this?

As part of a conversation about whether or not we need end to end TLS, I am trying to understand the **communication path between an ALB and the ECS Fargate tasks it targets**. I'm assuming the ALB and service tasks are hosted on completely distinct instances? Are these instances logically part of my VPC or not? Is the traffic confined to my VPC or does it go via AWS network's? I am arguing there is nothing to gain with TLS between ALB and services, as long as we trust AWS network, but I cannot find official document to support my argument, other than a SO thread from a AWS employee. Can anyone shed some light? Thanks

I have 1 unused certificate that the aws console will not allow me to delete. I get an error that it is associated with resources associated with a deleted API Gateway. See message below. I already contacted AWS basic support and they directed me back to post here. Here is someone that experienced the same issue and was directed back to Support. It seems nobody can help with this. https://repost.aws/questions/QU63csgGNEQl2M--xCdy-oxw/cant-delete-certificate-because-there-are-dangling-load-balancer-resources Please delete this certificate if able. The arn is below. ``` Certificate is in use The certificate (e2cb6304-2481-4102-a299-01c2a6314819) is in use (associated with other AWS resources) and cannot be deleted. Dissociate the certificate from each resource in the list and try again. Associated resources arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-iad-1-cdtls-1-2-678/e592024281bf27ef arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-iad-1-cdtls-1-2-696/64bd9edeaac06342 arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-iad-1-cdtls-1-2-787/f026c77ee68b958c ```

I am looking at using the feature of having an ALB as a target of a NLB. The options for health checks are using HTTP/HTTPS. How do the health checks work for example if the target ALB is using host-based routing? You don't have an option to specify a full hostname for it to go to? Would a health check just going to https 443 with a default path of / work?

Hello, How can i change the PTR(Reversr DNS) for lightsail instance static IP ? Any help will be appreciated. Thanks

I have an application load balancer which is an internal-facing load balancer, this load balancer doesn't evaluate rules at all, it only executes one rule (and the default rules) no matter what the Host/rule URL is. setup: Route53: - hosted on AWS - Domain x.com (public and private) are pointing to myLB, CNAME records not aliases LoadBalancer: - application load balancer - schema: an internal-facing load balancer (with 2 public subnets associated with it) - multiple rules based on different subdomains (different host URLs) - 443 and 80 listeners. - redirect all 80 to 443 - rules limit increased to 200 **The Problem:** LoadBalancer only executes the rule for x.x.com, when I try y.x.com it also executes x.x.com, if I removed x.x.com rule it will only execute the default rule, I do not know why it ignores all other rules. what can be the issue?

Hi, We have a beanstalk setup that is running for quite some time without bigger issues. Since mid December we are seeing that the hosted application becomes randomly unavailable multiple times a day. These outages are about 5-10 minutes long. It is really hard to nail down, but it looks like the instances are becoming unusable and it takes some time to spin them up again. To decrease the impact on our customers we moved to have at least two instances running, but now we are seeing both instances dying at the same time. We had also multiple occasions where the system didn't recover and we had to remove them manually to get everything back up and running again. Today we finally saw an error message when it happened: > Service:AmazonCloudFormation, Message:Resource AWSEBAutoScalingGroup does not exist for stack awseb-e-qa3p27em2p-stack Any help would be appreciated. Thanks

So I have constant build issues with my frontend deployment, and it happens to be that is throwing, in some random manner, 502 errors from my ELB. I can't see any kind of error happening in my servers, so I guess it has to do with the ELB service directly. Do you have any idea what can I do next?

Our services are called from the websites of our customers. We use ALB to balance and forward requests to the final targets. Some of our services require session stickiness. AWSALB* cookies are created in our own domain, so they are considered 3rd party cookies (which they are, in fact). However, this is huge a problem, since we cannot serve clients with 3rd party cookies blocked in their browsers. How can we handle this? Is there a way to keep session stickiness without those cookies? Thanks in advance.

We have an IoT device that connects to our MQTT broker behind the NLB. We are keeping the connection between IoT device and broker by utilising MQTT Keep Alive time and brokers heartbeat intervals. Our IoT device sleeps most of the time. It wakes up in the following situations. Whenever it wants to send PINQREST(every 340s -MQTT Keep Alive time) sends it to the broker. Other microservices publish some data, and brokers send that information to IoT devices. Our objective is to sleep the IoT device as much as possible and maintain the connection to save the battery. ***Problem: ***Normally, this particular IoT device sleeps most of the time. Our objective is to keep it sleeping as much as possible while maintaining a connection between IoT Device and the MQTT broker. The problem is that IoT Device continuously wakes up every 20s whenever the broker sends some downstream data to the IoT device. This usually happens whenever IoT Device receives downstream data from a broker. Based on our vendor's packet analysis, we found that NLB sends 120 bytes of TCP Keep-alive packets to IoT devices every 20s right after the broker publishes some downstream data. This is entirely sent by NLB and not by the broker. ***Only happen in TLS : ***We found that this happens if we use TLS(8883) in NLB and terminate the TLS in NLB. If we remove the TLS, add the listener on a non-secure port (1883), and forward the traffic to Target's non-secure port, things are working as expected, and there are no 20s wake-up or keep-alive packet sent by NLB every 20s. We also tested the same setup with CLB in an SSL port. It works without any problem and does not send a keep-alive to the client (IoT device). We have removed the TLS and opened the non-secure port as a temporary workaround. Why does NLB send keep-alive packets every 20s if we use TLS ? is this an intended behaviour of NLB? Any idea how we could resolve it? ***The overview of the cloud setup: *** * MQTT broker runs in ECS Fargate * Multi-AZ * Broker in a private subnet NLB is in between * Client (IoT device) and Target(MQTT Broker) * NLB idle time keep resetting by two things * Keep alive time sent by Client(IoT device) every * 340s Heartbeat time published by Target (MQTT Broker)every 340s Connection remains open NLB offload the TLS in port 8883 and forward the traffic to target port 1883