Questions tagged with Application Load Balancer

I am very new to AWS so I appreciate any help in advance but was wondering if its required for a Elastic Beanstalk Environment to have a public ip / elastic ip address? I have a loadbalancer that is set up to point to that elastic beanstalk instance but whenever I remove the elastic ip (I'm messing around seeing what does what) it starts to fail the health checks. It will even fail if a specify IP address type target group and provide the private IP address. The security groups look alright and allow traffic from the LB sec group to the instance sec group over the health check port. So I'm curious if you have to have your elastic beanstalk ec2 instance exposed with a public IP for the load balancer to register it or is there a way to keep all of that behind the curtain and just have the LB communicate with the instance via the instances private ip address?

How to make ALB seamlessly and instantly re-forward HTTP request to a healthy target? I am trying to configure ALB to seamlessly forward HTTP requests to another healthy target when the original target is unavailable, but not yet marked unhealthy. But I get Gateway error 502 until 2 unsuccessful healthchecks happen and the target is marked unhealthy. I have 1 ALB, 1 target group, 2 targets that pointed to 2 IPs in separate VM instances. Session stickyness is on. App cookie JSESSIONID. Tomcat is configured for Clustering. Scenario: 1. start Tomcat at node A 2. browse app http: //My-ALB-link/examples/jsp/jsp2/simpletag/hello.jsp. Node A responds. 3. start Tomcat at node B. wait until ALB marks target healthy 4. stop Tomcat at node A and quickly refresh browser - get error 502 Bad Gateway 5. wait a minute, refresh browser. Node B responds. How to configure ALB to instantly re-forward HTTP request to another node if the first node happen to be unavailable? User's wont wait while ALB makes 2 healthchecks and marks a node unhealthy. thanks, Mark

I'm provisioning a private MWAA and setting a public access through ALB (with ACM and custom domain ), following [this documentation](https://docs.aws.amazon.com/mwaa/latest/userguide/vpc-vpe-access.html#vpc-vpe-access-load-balancer). Domain and certificate are working, SSO login works, but redirect after login sends browser to private URL (which causes a timeout error). The only information I can find is [this one](https://repost.aws/questions/QU-inYMakLQmGJo-M6IhGkZA) but the link to another answer is broken I also checked the Airflow documentation. . There is a key called [webserver.base_url](https://airflow.apache.org/docs/apache-airflow/stable/configurations-ref.html#base-url) but it doesn't seem to work. The URL at the login screen looks fine: `https://my-custom-domain/aws_mwaa/aws-console-sso?next=https%3A%2F%2my-custom-domain%2Fhome`

I deploy AWS Load Balancer Controller and it creates and configures an application load balancer when I deploy an ingress, which is very convenient. However, the application load balancer is only created when an ingress.yaml is deployed, not when the controller is deployed. Is there a way of forcing the load balancer to be created on deployment of the Controller, before any ingresses have been deployed? I have several spring boot projects and an OAuth server deployed on my cluster - the spring boot projects' deployment require the OAuth2 server's URL. This requirement forces the deployment of the OAuth2 server separately, in order to configure/discover its hostname, before the other projects deploy. Ideally, I would like to deploy everything at once..

I'm quite new at AWS and use mostly the console to build my project. I have placed a containerized Streamlit web app in an AWS EC2/ECS instance beyond an ALB (https listener with session timeout 3960 secs.) and let users access it through Cognito authentication with Authorization code grant. Everything works fine, users are allowed to the app. Now, I would like users to be authomatically logged out after 60 minutes and redirected to the signout URL. I've set the refresh token expiration at 60 min., the access token and ID token expiration at 5 min. However, the backend continues delivering data to logged in users even after 60 minutes, so my idea doesn't work. Then, I've implemented a Lambda function with admin_user_global_sign_out but it doesn't work either: users do still get data from the backend. I'm wondering what I shall do and looking for a solution that I can implement using the AWS console so that the procedure is clear to me. Thank you for any help.

I create a ECS service using EC2 instances, then i create an Application Load Balancer and a target group, my docker image the task definition its using follow configuration: ```json { "ipcMode": null, "executionRoleArn": null, "containerDefinitions": [ { "dnsSearchDomains": null, "environmentFiles": null, "logConfiguration": { "logDriver": "awslogs", "secretOptions": null, "options": { "awslogs-group": "/ecs/onestapp-task-prod", "awslogs-region": "us-east-2", "awslogs-stream-prefix": "ecs" } }, "entryPoint": null, "portMappings": [ { "hostPort": 0, "protocol": "tcp", "containerPort": 80 } ], "cpu": 0, "resourceRequirements": null, "ulimits": null, "dnsServers": null, "mountPoints": [], "workingDirectory": null, "secrets": null, "dockerSecurityOptions": null, "memory": null, "memoryReservation": 512, "volumesFrom": [], "stopTimeout": null, "image": "637960118793.dkr.ecr.us-east-2.amazonaws.com/onestapp-repository-prod:5ea9baa2a6165a91c97aee3c037b593f708b33e7", "startTimeout": null, "firelensConfiguration": null, "dependsOn": null, "disableNetworking": null, "interactive": null, "healthCheck": null, "essential": true, "links": null, "hostname": null, "extraHosts": null, "pseudoTerminal": null, "user": null, "readonlyRootFilesystem": false, "dockerLabels": null, "systemControls": null, "privileged": null, "name": "onestapp-container-prod" } ], "placementConstraints": [], "memory": "1024", "taskRoleArn": null, "compatibilities": [ "EXTERNAL", "EC2" ], "taskDefinitionArn": "arn:aws:ecs:us-east-2:637960118793:task-definition/onestapp-task-prod:25", "networkMode": null, "runtimePlatform": null, "cpu": "1024", "revision": 25, "status": "ACTIVE", "inferenceAccelerators": null, "proxyConfiguration": null, "volumes": [] } ``` The service its using ALB and its using same Target Group as ALB, my task its running, and i can access using public ip from instance, but the target group does not have registered my tasks.

Hi, We are Using Application Load Balancer for our website, We have configured it as below, 1. Two Client instances ( client-A and client-B ) for Front-End 2. Two Server instances ( server-A and server-B ) for Back-end If we use 2 instances for the client & **single instance** for the server, then every WebSocket **Subscription is working fine **But if we switch it to 2 instances for clients & **2 instances** for the server, then the **WebSocket subscriptions are not working **at all. Kindly let us know, Is there any methods available to handle web-socket using Load Balancer on AWS, If yes, then kindly guide us to sort out this issue. We also want to know, To which instance the WebSocket request is entering and from which instance the response is coming out. So kindly help us. Thanks in Advance...

My application allows uploading files with several simultaneous requests. Requests arrive at the CDN, go to the load balancer, and the load balancer passes them on to the API docker container, which is on the Elastic Container Service (ECS). Some requests complete successfully, others give 504 and 502 errors, intermittently. When I change the CDN origin to go straight to the container, all requests work with fast response. So I think the problem is in the Application Load Balancer. I already increased the idle timeout in the ALB, but the problem remains the same. I also tried increasing the Origin Connection Timeout in CloudFront, but it didn't work either. I have only 1 Docker container in the service. Can someone help me on this issue? Best regards! Fernando

Hi, I have this ingress configuration: ``` apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: "oidc-ingress" annotations: kubernetes.io/ingress.class: alb alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=300 external-dns.alpha.kubernetes.io/hostname: example.com !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! alb.ingress.kubernetes.io/auth-type: oidc alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate alb.ingress.kubernetes.io/auth-idp-oidc: '{"issuer":"https://login.microsoftonline.com/some-id/v2.0","authorizationEndpoint":"https://login.microsoftonline.com/some-id/oauth2/v2.0/authorize","tokenEndpoint":"https://login.microsoftonline.com/some-id/oauth2/v2.0/token","userInfoEndpoint":"https://graph.microsoft.com/oidc/userinfo","secretName":"aws-alb-secret"}' !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! spec: rules: - http: paths: - pathType: Prefix path: / backend: service: name: ssl-redirect port: name: use-annotation - pathType: Prefix path: /jenkins backend: service: name: jenkins port: number: 8080 - pathType: Prefix path: / backend: service: name: apache port: number: 80 ``` If I `kubectl appy` this `Ingress` config it will apply `annotations` to all routing rules, which means: ``` /* /jenkins /jenkins/* ``` I would like to apply `OIDC annotations` only for the `Jenkins rules`, it means: 1. If I open `https://example.com` it will be available to everyone. 2. If I open `https://example.com/jenkins`, it will redirect me to `OIDC auth` page. I can do this manually through `AWS console` when I remove `authenticate rule` from `/*` and leave it for `/jenkins/*` only. However I would like to achieve this through `Ingress annotations` to be able to automate this process. Please how can I do this? Thanks for your help.

I am trying to setup HTTPS end-to-end connection from my browser to a server running on an EC2 instance through ALB. The front-end connection from my browser to ALB goes through fine. But, the ALB to back-end TLS handshake fails as server_name extension (SNI information) is not sent by ALB during TLS Client Hello handshake (as I see in packet-capture). Is there a way to forward SNI information received from front-end https connection by ALB to the back-end https connection too?

TLDR: I inherited a Wordpress site that I now manage that had a DevOps deployment pipeline that worked when the site was low to medium traffic, but now the site consistently gets high-traffic and I'm trying to improve the deployment pipeline. The site I inherited uses Lightsail instances and a Lightsail load balancer in conjunction with one RDS database instance and an S3 bucket for hosted media. When I inherited the site, the deployment pipeline from the old developer was: *Scale site down to one instance, make changes to that one instance, once changes are complete, clone that updated instance as many times as you need* This worked fine when the site mostly ran with only one instance except during peak traffic times. However, now at all times we have 3-5 instances as even our "off-peak" traffic is really high requiring multiple instances. I'd like to improve the deployment pipeline to allow for deployment during peak-traffic times without issues. I'm worried about updating multiples instances behind the load balancer one by one sequentially because we have Session Persistence disabled to allow for more evenly distributed load balancing. And I'm worried a user hopping to different instances that have a different functions.php file will cause issues. Should I just enable session persistence when I want to make updates and sequentially updates instances behind the load balancer one by one? Or is there a better suited solution? Should I move to a containers setup? I'm admittedly a novice with AWS so any help is greatly appreciated. Really just looking for general advice and am confident I can figure out how to implement a suggested best-practice solution. Thanks!

Hi. I have a ec2 instance (not Lightsail) working behind a Load Balancer. Apache, PHP-FPM are installed and WordPress (or any PHP code) is working mostly fine. However if I try to run code using curl I get a 504 Gateway Timeout. WordPress Site Health also fail because of the same issue. Issues like: - Error: cURL error 28: Failed to connect to fakedomainforthispost.com port 443 after 7503 ms: Connection timed out (http_request_failed) - Your site is unable to reach WordPress.org at 198.143.164.251, and returned the error: cURL error 28: Connection timed out after 10001 milliseconds - The loopback request to your site failed, this means features relying on them are not currently working as expected. Error: cURL error 28: Failed to connect to fakedomainforthispost.com port 443 after 7503 ms: Connection timed out (http_request_failed) If I run curl as a command in ssh works fine. If I run curl as code inside a php file I get the 504 Gateway Timeout. I tried setting the KeepAlive rules bigger than the ELB Idle time with no success. If I clone the ec2 instance and run outside the Load Balancer, curl in php works fine. The load balancer allows ports 80 and 433 and the connected Target group communicates to the instances using port 80. The rest works fine. Kind Regards, D.

We have an elasticbeanstalk application with alb speaking to an ec2 instance in Virginia. The application latency is in itself less than 100ms but the initial connection (dns + tcp + ssl) is taking 600ms and 300ms is for the ttfb(of which 100ms is due to the app).So overall its taking 900ms. The subsequent requests are taking 300ms. To optimise and reduce the initial connection time, we used cloudfront in front of the alb without any caching as ours is dynamic content. So we used cloudfront just for ssl termination.That helped in reducing the initial connection time to 120ms.But now the ttfb increased to 800ms. My assumption is that cloudfront is setting up a new connection(ssl) to the origin server for every request and that is increasing the latency and is now worse than without having cloudfront. So is using cloudfront for ssl termination and without any caching is not useful as its making the situation worse? How can we reduce the cloudfront to origin connection times.I increased the keepalive time on cloudfront to 60s, but still its only helping for certain requests and some requests are still taking the regular time(with connection setup to origin) ? How can I measure whats happening between cloudfront and origin ? Without ideally increasing the servers, how can I best achieve reduced latency in the above case.

Hi all, I have an infrastructure consisting of Cloudfront and an ALB as the source of this distribution. I need to direct requests not only to the ALB Target Group but also to redirect requests to an external URL. Anyone have any suggestions on how to fix this issue? Thank you

I am working on a design that will depend on a single alb rule for each one of our customers. I can see that the soft limit for rules is 100. Before I got ahead with this, Id like to know what is the maximum rules I can request?

Hi, I see While creating Loadbalancer, We need minimum two public subnets. Once LB is created, it shows me two IPs of LB Dns URL. Ex - non-authoritative answer: Name: Lb1LoadBalancer-405154402.eu-west-1.elb.amazonaws.com Address: 54.228.29.194 Name: Lb1LoadBalancer-405154402.eu-west-1.elb.amazonaws.com Address: 52.30.70.94 Does it mean these Public Ips are one from each Public Subnet ( or Availability zones) . I also tried using three Availability zones ( Each zone has Public Subnet) . But still DNS only shows Two Public Ips of LB Url. I was expecting it to show 3 Addresses. But it doesn't show that way. Is anything wrong with my understanding ? What will happen if one AZ goes down, Will the DNS still show two Ips ? I am confused. Any one knows ?

Hi, I have finished setting aws ec2 ssl cert to use https://mydomain, but after setting all including application load balance I still get connection refuse if I try to connect with https. Http is working well. I used ssl and domain from outside(imported). So I have done the extra setting for importing domain such as ns forwarding. I can't find any solution. Please help me on this.

I am attempting to setup an MWAA environment inside of a private subnet and using an internal ALB to allow users to access the VPC endpoint that is tied to the web server IP addresses in the subnets that were chosen during environment creation. I am currently coming across an issue where if I access the MWAA UI through the console hyperlink I get sent to a page that say `This site can't be reached`. If I update the URL to include the ALB A-record and MWAA web login token I am able to access the proper page. If I access just the ALB A-record I am sent to a login page for MWAA and sent to the same page where it says `This site can't be reached`. Additional information is here in my stackoverflow question. To me it is almost as if there is some sort of re-direction issue occurring here. As for being able to access the internal ALB I read that users need access to the VPC, what do this mean exactly? https://stackoverflow.com/questions/71798790/aws-internal-alb-is-unable-to-re-direct-to-private-mwaa-webserver

I created an application load balancer a year ago, and it works fine. I created a new target groups and I want to associate it with my load balancer. The issue is simple I can't load the load balancer page in the console using the Load balancer menu (https://us-west-1.console.aws.amazon.com/ec2/v2/home?region=us-west-1#LoadBalancers:). And now even the target group menu doesn't work. I use Firefox 98.0.2 on windows. Any idea?

Hello, I have a load balancer which as you know keeps the health check for the web app/website. I have deployed nothing in my instance means no app/site so when anyone visits the Loadbalancer URL they see a 502 Bad gateway error which is fine. and also in the target group, it shows that an instance has failed the health check but the thing is that the auto-scaling group is not terminating the failed health check instance and replacing it. Below is the Cloudformation code ``` AutoScailingGroup: Type: AWS::AutoScaling::AutoScalingGroup Properties: VPCZoneIdentifier: - Fn::ImportValue: !Sub ${EnvironmentName}-PR1 - Fn::ImportValue: !Sub ${EnvironmentName}-PR2 LaunchConfigurationName: !Ref AppLaunchConfiguration MinSize: 1 MaxSize: 4 TargetGroupARNs: - Ref: WebAppTargetGroup AppLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: SecurityGroups: - Ref: ApplicationLoadBalancerSecurityGroup Subnets: - Fn::ImportValue: !Sub ${EnvironmentName}-PU1 - Fn::ImportValue: !Sub ${EnvironmentName}-PU2 Tags: - Key: Name Value: !Ref EnvironmentName Listener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: DefaultActions: - Type: forward TargetGroupArn: !Ref WebAppTargetGroup LoadBalancerArn: !Ref AppLoadBalancer Port: "80" Protocol: HTTP LoadBalancerListenerRule: Type: AWS::ElasticLoadBalancingV2::ListenerRule Properties: Actions: - Type: forward TargetGroupArn: !Ref WebAppTargetGroup Conditions: - Field: path-pattern Values: [/] ListenerArn: !Ref Listener Priority: 1 WebAppTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: HealthCheckIntervalSeconds: 10 HealthCheckPath: / HealthCheckProtocol: HTTP HealthCheckTimeoutSeconds: 8 HealthyThresholdCount: 2 Port: 80 Protocol: HTTP UnhealthyThresholdCount: 5 VpcId: Fn::ImportValue: Fn::Sub: "${EnvironmentName}-VPCID" ```

Is it possible to have a single elastic IP that can access multiple unique EC2 instances through some means (DNS/Route 53, a load balancer, etc)? For example, a single elastic IP would use DNS to access host01.ex.example.com, host02.ex.example.com, etc. Every instance is in the same region. The [Elastic IP Address Limit Documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-instance-addressing-limit) points to AWS [DNS Documentation](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-hostnames) but I was wondering if this is something that can be handled automatically (maybe by the [Route 53 DNS Resolver](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html))?

Hello. I run my instance using **launching configuration** and **autoscaling group**. On the details tab I see: **Health check grace period = 300**. Also, I have a **load balancer** with **target group**. I set up health checks in the target group: **timeout - 5** seconds and **interval - 10** seconds. So, I should get one health check request for every 10 seconds. When I visit a cloudwatch log events, I see, that health checks requests sends too frequently, even I filter it by IP's: ```2022-04-04T15:08:24.043+03:00 2022-04-04T15:08:27.012+03:00 2022-04-04T15:08:31.690+03:00 2022-04-04T15:08:33.899+03:00 2022-04-04T15:08:34.061+03:00 2022-04-04T15:08:43.366+03:00 2022-04-04T15:08:43.898+03:00 2022-04-04T15:08:44.063+03:00 2022-04-04T15:08:45.473+03:00 2022-04-04T15:08:47.303+03:00 2022-04-04T15:08:49.343+03:00 2022-04-04T15:08:53.915+03:00 2022-04-04T15:08:54.067+03:00 2022-04-04T15:08:57.148+03:00 2022-04-04T15:09:02.237+03:00 2022-04-04T15:09:03.913+03:00 2022-04-04T15:09:04.067+03:00 2022-04-04T15:09:13.789+03:00 2022-04-04T15:09:13.920+03:00 2022-04-04T15:09:14.076+03:00 2022-04-04T15:09:15.833+03:00 2022-04-04T15:09:17.460+03:00 2022-04-04T15:09:19.721+03:00 ``` Sometimes I can see 2 health checks in one second. Why? what can I do to fix it?

Hi, AWS Recommends adding cloudfront in front of single server applications for security and performance see https://aws.amazon.com/blogs/networking-and-content-delivery/dynamic-whole-site-delivery-with-amazon-cloudfront/ I want to add it for an existing web app but the max time out of cloudfront is 180 seconds and I have some calls which are longer and will time out. I'm mainly interested in the security upside and less in the performance upside of this setup since this is for a web panel which does not require high speed delivery. My question is - Is it a good solution to add an Application load balancer instead of dynamic cloudfront in front of the server in order to get the security benefits such as hiding the end server IP address , getting WAF and DDOS mitigation without the 180 seconds timeout issue ? Are there downsides to doing it ? Thanks

I'm trying to invoke a Lambda (Java 8) using a DNS endpoint --> ALB --> Lambda as the target group. Lambda does what its supposed to do (Upload a file in S3) upon its invocation but on the postman or curl command i see a 502 error . When i check the ALB logs it says InvalidLambdaResponse My lambda is returning a Map (String , Object). When i print the JSON it looks good as well. What am i missing here ? { "headers": { "Cache-Control": "no-store", "Content-Type": "application/json" }, "isBase64Encoded": "False", "statusCode ": "200", "statusDescription ": "200 OK", "body": "Lambda S3 Upload" }

I have an S3 bucket set up for "Static Website Hosting", a CloudFront distribution with our own SSL certificate and allowing Host header, a Global Accelerator IP address attached to an Application Load Balancer. The Application Load Balancer does a 301 redirect to the S3 bucket. I know that you can set an EC2 instance as a target group and forward to that to preserve the original URL. Can you also preserve the original URL using this method of 301 redirect to a Cloudfront distribution tied to an S3 bucket?

I have an ECS Fargate Service in VPC, which has two private subnets. This service is accessible from the internet through a load balancer, which has public subnets in the same availability zones as the private subnets. The private subnets use a NAT gateway to route traffic to the public subnets. However, I am having issues connecting to a DocumentDB database from the service. The DocumentDB database is in the same VPC as the service. I also have a lambda which uses the exact same private subnets as the service. It can connect to the database without any issues. The service and the lambda use the same connection code. All security groups involved have a rule that allows all inbound and outbound traffic. The private subnets are routed to a NAT gateway which points to public subnets. I believe my issue is somehow related to the subnets. Does anyone have any ideas what I can do in order to connect to the database, without losing my ability to also expose the service to the internet through the load balancer?

### Setup I am using AWS Amplify to host my NextJS app. My backend is a headless CMS called Craft CMS (PHP). The NextJS app is using the GraphQL endpoint from Craft CMS for data fetching. The CMS is in EC2 server. It is connected to an Application Load Balancer. ### Requirement I want to be the only one who can access the CMS since I'm the only one using it. So the EC2 security group's source for HTTP and HTTPs is the ELB security group ID. The ELB security group has my IP for the HTTP and HTTPS traffic. This configuration works. I'm the only one who can access the site. ### The issue The problem is that when Amplify tries to build my frontend app, it's always build error. It seems that the Amplify can not reach the GraphQL endpoint when it tries to build the app. ### Action taken I tried adding `AmazonEC2FullAccess` to the Amplify Service role and it didn't work. ### Temporary workaround I turned on the access logs of the CMS and found the AWS IP of the Amplify app. I then added the IP to the ELB security group to allow access. This works but I don't know how often AWS changes the IP address and I know at point some point it'll break down. ### Question How do we allow Amplify to access the GraphQL endpoint for npm builds? Any ideas is greatly appreciated. Thank you.

Hello, I have been trying to install the AWS Load Balancer Controller add-on as detailed here: https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html (I have pulled the needed image from ECR and pushed it to my own repo..) When I try a helm install dry-run I get the following error: ``` helm install aws-load-balancer-controller eks/aws-load-balancer-controller \ -n kube-system \ --set clusterName=myCluster \ --set serviceAccount.create=false \ --set serviceAccount.name=aws-load-balancer-controller \ --set image.repository=myrepo/aws-load-balancer-controller \ --set image.tag=2.4.1 \ --dry-run Error: unable to build kubernetes objects from release manifest: unable to recognize "": no matches for kind "IngressClassParams" in version "elbv2.k8s.aws/v1beta1" ``` Additional info: ``` helm search repo eks NAME CHART VERSION APP VERSION DESCRIPTION ... eks/aws-load-balancer-controller 1.4.1 v2.4.1 AWS Load Balancer Controller Helm chart for Kub... ... ```

I would like to protect my lightsail instances with a AWS-WAF. For that, I need an EC2 Load Balancer instead of the lightsail one. I´ve implemented the following steps (all with root user): 1. Enable VPC peering in lightsail, on the correspondent zone, let say 'Ireland'. 2. AWS VPC is default and in Ireland. 3. Create a Target Group of type IP Address, on previous default VPC; Network 'Other Private IP Address' and the private address of the lightsail instance (instance has an apache listening on port 80). Checked that targets are 'Healty' on Target Group. 4. Create a LoadBalancer in the Default VPC, with the previous created Target Group, and with zones 'a' and 'b' of Ireland. Zone 'a' is the zone of where the lightsail instance is. 5. On Route 53 created a public hosted zone, with the name of my domain (registered directly in Route 53). 6. Create a DNS A record of type 'Alias', with linked point 'Alias Application Load Balancer', in region Ireland and pointing to previous created Load Balancer (showed for selection with the name of the LB, but wit 'dualstack.' appended to it). 6.1. Also tried resolving the LB DNS and creating the DNS A record to point directly to the IP instead of the 'Alias'. After all these steps, when trying to browse to my domain, I´m getting an "ERR_CONNECTION_TIMED_OUT". Ping to domain resolves to same ip that Load Balancer DNS; Security Groups in AWS allow all traffic; there is route in AWS to internal network of LightSail (created automatically when peering VPCs in step 1); ACL or Firewall are allowing all traffic; on ligthsail all traffic is allowed as well. What I could be missing? At that point and with all the steps reviewed, I can´t not figure out where the issue is.

I'm trying to make the Cognito SSO. I'm already implemented it with Apache Server and it works ! Now I'm trying to do it without Apache, but with Load Balancer which redirect me to the Cognito Authentification. The authentification works, but next I need to do the similar thing to > RequestHeader set CAS-User something Is it possible to do it with Load Balancer or maybe with Lambda Function or another method ?... This header is required by my application. I was searching for CloudFront and LambdaEdge solution, but still can not understand how to get OIDC_Claim from Cognito after a authentification and then set with it my header...

Has anybody had experience with the Amazonbot web crawler? (especially with it looking like a DOS incident) We have a client where their service (hosted on AWS) kept going down until we identified an unusual amount of traffic from an Amazonbot with the User-Agent of "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML\, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)", after blocking it at an Application Load Balancer level via User-Agent Header rules (since modifying the "robots.txt" did not work / wasn't read) the response time of the clients service dropped significantly and has remained up. If anybody knows what generally causes Amazonbot to crawl sites, or how I can identify the cause for this specific client's site, that would be extremely useful, cheers.

there is requirement to create application load balancer with ingress or external traffic going to 2 different port for example port 80 and 81 into EKS Cluster, any sample yaml config file to setup this requirement ? we are trying to create the config using annotation with alb.ingress.kubernetes.io/group.name with two separate rules service port 80 and service port 81, but when trying to run the yaml file the second rules service is overwriting on the ALB Rules. trying to create something similar with this post https://aws.amazon.com/blogs/containers/how-to-expose-multiple-applications-on-amazon-eks-using-a-single-application-load-balancer/ , but the differences is the requirement to have single services with 2 port [ingress] Thanks

We are trying to identify the better math metric logic for the alarm threshold where we build threshold on the request count that is if we receive 100 requests and 10 percent of these return http error code 5XX errors trigger an alarm. Than it must create cloud watch alarm.

I have multiple websites hosted in different environments such as S3 static HTML, self-hosted WordPress on Amazon Lightsail, application on Elastic Beanstalk, and external sites (e.g. Wordpress.com/Wix/Webflow). I want to unify all those applications under a single domain name, let's say `www.example.com`. The routing are using a request path and also a user-agent. The scheme looks like below  If the request, for example, is `https://www.example.com/a`, it will be forwarded (not redirected) to Site A. If the request is `https://www.example.com/d` and accessed with mobile devices, it will be forwarded to Site B, but if accessed with desktop devices, it will be forwarded to Site C. When the request is `https://www.example.com/sitemap.xml` it will be forwarded to a public file stored in S3. One solution that I have in my mind is using ALB with Routing. But ALB only allows 3 kinds of target groups, as far as I know: 1) instance, 2) IP, and 3) Lambda. So I am thinking of targeting Lambda which serves as a proxy to the applications. Something like below.  I am wondering if there are better solutions.

My Cloudformation Template is running into this Error when trying to create a ListenerRule.: >Resource handler returned message: "Invalid request provided: AWS::ElasticLoadBalancingV2::ListenerRule Validation exception" (RequestToken: d24b7617-9302-cf2e-f24c-78293248ea26, HandlerErrorCode: InvalidRequest) the ListenerRule is straight Forward (AllocateAlbRulePriorityCustomResource.Priority returns a number between 1-50000): ``` ListenerRule: Type: AWS::ElasticLoadBalancingV2::ListenerRule Properties: Actions: - Type: forward TargetGroupArn: !Ref TargetGroup Conditions: - Field: host-header Values: - !Ref AppUrl ListenerArn: !Ref ListenerArn Priority: !GetAtt AllocateAlbRulePriorityCustomResource.Priority ``` how can i further troubleshoot and find out why exactly the ListenerRule is failing to be created?

I am using Elastic Beanstalk to deploy my docker container app, I want to route my custom domain to the web server but this domain is a root domain, so I cannot use CNAME, instead I have to use the IP addresses of the application load balancer. But the ALB IP addresses change over time, so I need a static IP address for routing. Currently I managed to do this by hosting a static IP address that redirects *mydomain.com* to *www.mydomain.com* and routing *www.mydomain.com* to the server via CNAME since it's not a root domain. This process is kinda complex. I wonder if there is any simpler method to realize this? Thanks.

Hello, How would I go about setting up an Internet-facing Application Load Balancer for a server running on an EC2 instance. My main purpose for doing this it to assign a certificate requested from AWS Certificate Manager, and also create an alias record with a subdomain pointing to the ALB. The instance has been allocated and assigned a static IP (elastic IP). My problem is that the load balancer does not seem to be able to reach the instance through the target groups. Health checks for the target groups keep failing, even though I can query the Elastic IP separately, and see port 443 respond with HTTP status code 200 with no problems. ``` Health checks failed with these codes: [302] ``` Is this because the EC2 instance has been assigned a static IP? Any help is appreciated!

Hi, I am currently trying to set up an ec2 instance with Application load Balancer however I'm getting a 504 gateway time-out error. I have enabled apache keep alive settings with a greater number than the timeout setting of the ALB, just as indicated from AWS Doc. However the issue is persistent. I have checked that I'm using the same Security group which I am. The Listeners in my ALB are set to only the HTTPS and forwarded to my target group.When i visit the target group the health status details says " health checks failed ". What else can I check please ?

Hi! I've configured an environment in an elastic beanstalk application with an application load balancer so that I can configure a ssl certificate for that endpoint. The name of the load balancer is connected to my dns, which connects the hostname to this load balancer. However, as I've figured out now, this type of configuration does not support the blue/green deployment pattern, because creating a new environment will also create a new load balancer with a new host name. This would also require an update to my dns record - which I want to avoid. I'm now searching for a load balancer in aws which I can connect to the ebs environment url so that the environment swapping mechanism will be possible. I've looked into a shared load balancer - which i.e. I can connect to an ebs environment. But that does not seem to be of help because swapping the environment url will not update the load balancer configuration (I assume, it doesn't let me select a url). What aws load balancing service would allow me to simply point to an environment url and also support tls encryption?

We have a quite simple webapp infrastructure: 2 backend EC2 in a target group, internet facing ALB and CloudFront. Session stickiness is turned on on the target group. When we have only one default behavior with Managed-CachingDisabled and Managed-AllViewer policies session stickiness is fine. Obviously this doesn't cache anything. When I add a new behavior to cache resources in media folder session stickiness doesn't work any more. This policy uses one query string param in cache key, otherwise it is like Managed-CachingOptimized both CF and ALB on HTTPS, same SSL cert installed on both. I don't really understand why stickiness stops working even if we have AWSALB cookie on cached items too. Please let me know if you need any other details.

** Background** Hello. I spent 2 days solving my problem, reading AWS docs and articles on different sites without any luck. I have EC2 instance which is connected to Application Load Balancer(ALB) with HTTP listener, and I use Autoscaling Group(ASG) for this ALB. I'm trying to set the lowest latency as possible between Target Group(TG) healthcheck status "unhealthy" and new ready running instance, running by ASG. Instance start up from "Golden Copy" AMI and it come ready in 60 seconds. My settings for TG are next: ``` Health Check Interval Seconds: 10 Health Check Timeout Seconds: 6 Healthy Threshold Count: 3 Unhealthy Threshold Count: 3 Deregistration Delay: 0 ``` So, I connect with ssh to instance, make some changes in web server config to forcefully respond with 404 status for health check. Health status on TG changes to "unhealthy" in approximately 15-20 seconds. **Problem** The problem is that it takes 80-90 seconds for Health status to be changed to "unhealthy" in ASG, on Instance management page. And ASG triggers instance replacement only in 80-90 seconds, which is too much. **Question** How to decrease latency between TG health status and ASG health status?

Hi, I have purchaced the Fortinet AWS managed rules to protect my EBS environment. I have created this environment with ALB in order to connect WAF with it. Once I add Fortinet managed rules I do not have the option the block these requests but only count. How can this be changed to block in order to protect my environment ?

Hello, I am testing a Wordpress Instance (PHP8) on Elastic beanstalk setup with a load balancer, running through Nginx. When I visit the website regularly, it works fine and I am able to browse the Wordpress instance. I wanted to try to perform a very simple load test, so I am using artillery (https://www.artillery.io/) as a load/smoke tester. As soon as the load on the server rises the server starts returning 502 responses. I've taken a look at the logs and I am seeing this. > ---------------------------------------- /var/log/nginx/access.log ---------------------------------------- 10.0.0.20 - - [08/Feb/2022:20:45:56 +0000] "GET / HTTP/1.1" 499 0 "-" "Artillery (https://artillery.io)" "IP-ADDRESS" > 10.0.0.20 - - [08/Feb/2022:20:45:57 +0000] "GET / HTTP/1.1" 499 0 "-" "Artillery (https://artillery.io)" "IP-ADDRESS" The error log says: > ---------------------------------------- /var/log/nginx/error.log ---------------------------------------- 2022/02/08 20:45:44 [error] 2882#2882: *1656 connect() to unix:/run/php-fpm/www.sock failed (11: Resource temporarily unavailable) while connecting to upstream, client: 10.0.0.20, server: , request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm/www.sock:", host: "HOSTNAME.COM" I've been doing some research and it seems like some people suggest that its a PHP issue, or its an Nginx issue or a Load balancer issue. I'm not sure where to go with this, I've been trying to debug the issue and try a few different things, has anyone run into this? Does anyone have any debugging tips? Any help/guidance would be appreciated.

I have a simple Cognito user pool (no federation) with an app client with all 5 available auth flows enabled: ``` ALLOW_ADMIN_USER_PASSWORD_AUTH ALLOW_CUSTOM_AUTH ALLOW_REFRESH_TOKEN_AUTH ALLOW_USER_PASSWORD_AUTH ALLOW_USER_SRP_AUTH ``` The pool already has AWS-provided domain configured. When I attempt to integrate it into an authenticate rule for my ALB, I got the following error: > OAuth flows must be enabled in the user pool client How can I make this work?

According to the [blog post](https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/), you will be able to configure single ALB as a target in NLB. So what will be the required design if the target ALB has port redirection scenario like 80 to 443?