Questions tagged with Elastic Load Balancing
Content language: English
Sort by most recent
AWS ECS randomly removed target group (ec2 instance)
I have an ECS service with daemon as type and today randomly the task count went from 2 (default) to 1, and haven't been able to fix it. And the events tab is getting spammed with: service xyz updated computedDesiredCount for taskSet ecs-svc/0123 to 1. (daemon service xyz) updated desired count to 2. It goes from 1 to 2 to 1 to 2 again every 10 seconds. Does anyone have an idea how to fix this? I have tried forcing new deployments, but nothing. In the deployments tab the ACTIVE status is running one task. And the PRIMARY has desired 1, but pending and running are 0 tasks.
I have a microservice. What would be the most appropriate and economical infrastructure. The idea is to always keep the same public ip to associate it to the DNS. And that it does not change when we make new deployments. - Use Fargate with Balancer. - Use Api Gateway. - Use Beanstalk with Elastic Ip in an EC2 and without Balancer.
WAF Geo Restriction - False Positive IP Block
Hello, My organization recently obtained our own block of public IP addresses from ARIN. We are currently using one of these IPs as our outbound IP for all internet traffic. We are seeing an increase in "403 Forbidden" errors for certain websites hosted on AWS. The responding server header for these errors is "awselb/2.0" One software vendor we worked with said they had to manually add an exception for our IP address. That specific vendor said their AWS WAF was configured to only allow connections from certain countries (one of the countries being the US, where we are located). I have verified that our geoIP information is accurate in Maxmind as well as other major providers. Also, our IP block is not listed in any major spam lists. So my question is, why is AWS not seeing our IP as being in the US? Do they use a separate geoIP database, or are they just slow to refresh their database with other geoIP providers? Unfortunately, my organization is not currently an AWS customer, so we have no access to AWS support. This forum is our only resort. Any help you can provide would be very much appreciated. Thanks
ALB as reverse proxy with home server as target
I am trying to use a ALB as a reverse proxy to send traffic to my home server, I got an API Gateway to do this but then realised API Gateway only supports HTTP/HTTPS whereas I am also using socket.io which makes use of web sockets and extra packet data. I can't seem to find a proxy option in the API Gateway web sockets flavour. So I thought that an ALB as a proxy would resolve this issue, but I can't seem to set the target IP in a target group as anything outside of a VPC and I want to set it as my home address.
All Route 53 Alias options greyed out
When trying to create a new Route 53 record and enabling **Alias**, all options under "**Route traffic to**" except for "another record in this hosted zone" are greyed out and unavailable to select. I am trying to point a CNAME to my active ELB, but cannot select "**Alias to Application and Classic Load Balancer**" Any reason all the options would be disabled? Account permissions? Security settings?
EKS NLB target groups protocol change to https
Hi, how to change the target groups protocol to https? The listener is TLS with cert binding is working however the backend forward to the pod is not working, I unable to find the annotation to change the protocol from tcp (current) to https, can you share the correct annotations. annotations: service.beta.kubernetes.io/aws-load-balancer-internal: "true" service.beta.kubernetes.io/aws-load-balancer-type: "nlb-ip" service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "https" service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: "2" service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: "2" service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:xxxxxxxxxxxx
ALB and gRPC keep alive pings to keep a gRPC stream open
Hi, I have a Fargate instance running a gRPC API (written with Spring Boot) running behind of an AWS ALB (ALB listens on port 9090 / HTTPS, target group uses HTTP / 9090 and protocol gRPC). The client, that I am using, is able to communicate with the gRPC server. We also instantiate a server stream to the client that needs to stay open, because the server needs to send some data with low latency to the client. However, after 60 seconds the stream will be terminated (default timeout of the ALB). To prevent that, I have configured the client to send keep alive pings every 20 seconds, but that does not work. I also tried to use server side keep alive pings, however, that was not working either. To verify that the pings are send to the server, I used Wireshark and it seems that at least the client side keep alive pings work. Does the ALB support keep alive pings to keep the gRPC stream open? Are there any best practices on how to set up gRPC streams with the ALB? Thanks in advance :-).
Redirect external HTTP requests into VPN-network
Hello guys! I have an algo VPN-server hosted in the AWS cloud, and I would like redirect external HTTP-request (from global internet), that comes, for example, to Load Balancer to be redirected to the PC inside my VPN-network. HTTP-request chain: client -> aws load balancer -> VPN-cloud -> My PC running server Any ideas how to do it? I was thinking on launching an extra EC2-instance with VPN-client and proxy-server on board, so the sequence would be following: HTTP-request -> Load Balancer -> EC2-Instance -> PC in VPN. But I'm not sure that this solution is the simplest one.
How to configure listeners for more than 50 ports in NLB
Access is performed using a private link in a configuration with two VPCs. NLB is specified as the connection destination of the private link, but it is a requirement that port 50 or more must be used. NLB listeners can't scale beyond 50. Is there any way to solve this?
Intermittent health check timeouts causing ECS to kill tasks
We have an ECS service running our API. Normally this service runs with ~12 tasks. The service is configured with an HTTP health check that returns a 200 if certain conditions are met - usually this returns within ~200ms. We have a scaling policy that starts new tasks based on the average CPU of our tasks. Recently we have seen that ECS is terminating a large chunk of tasks at a time (often ~50% of the tasks) and then our service drops requests as we don't have the capacity to handle the inbound requests. I have noticed, at least on the most recent occurrence, that we had a spike in traffic of about 40% of our current traffic around the time that ECS terminated a bunch of tasks, however, the capacity should be there in our API to handle this without any issue. This issue has happened ~5 times in the past week or so but is very intermittent and doesn't seem to affect the entire service - only certain tasks. I have checked all of our monitoring and logging and I can't see anything as to why the health check would be failing. The application logs for the tasks are completely normal. All I have to go on are the following messages in the ECS event log: ``` service my-service (port 8000) is unhealthy in target-group my-target-group due to (reason Request timed out). ``` Is there any further troubleshooting I can do to understand what is causing this? Also, if the issue is somehow triggered by an increase in load, is there a way we can prevent the ECS service from immediately terminating the tasks (which inevitably compounds the issue).
Can't add AWS Certificate Manager to domain
Hello. 1. Previously, I created it through DNS validation and connected it to the domain "storyflow.link" (which is registered through AWS tools) through "Create DNS records in Amazon Route 53" 2. Currently the CNAME fields appear in "Hosted zones" but the status does not change (Pending validation) 3. I cannot add "add listener" - HTTPS to the Configuration of Elastic Beanstalk. A message appears: Creating Load Balancer listener failed Reason: Resource handler returned message: "The certificate '*****' must have a fully-qualified domain name , a supported signature, and a supported key size. (Service: ElasticLoadBalancingV2, Status Code: 400, Request ID: *****, Extended Request ID: null)" (RequestToken: ****, HandlerErrorCode: InvalidRequest).