Questions tagged with Elastic Load Balancing
Content language: English
Sort by most recent
When trying to create a WAF web ACL, I get the following error: "WAFUnavailableEntityException: AWS WAF couldn't retrieve the resource that you requested. Retry your request."
[This page in the AWS Documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_CreateWebACL.html) gives the following explanation:
"WAFUnavailableEntityException
AWS WAF couldn’t retrieve a resource that you specified for this operation. If you've just created a resource that you're using in this operation, you might just need to wait a few minutes. It can take from a few seconds to a number of minutes for changes to propagate. Verify the resources that you are specifying in your request parameters and then retry the operation. HTTP Status Code: 400"
However, I waited for over an hour after creating my resources (first, an API, then an ALB), and I am still getting the same error when I try to create a web ACL for those resources.
Not sure what the issue is.
[This page](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies) for Application Load Balancers states that Security Policies `ELBSecurityPolicy-2015-05` and `ELBSecurityPolicy-2016-08` are identical.
When using region `us-east-1`, the two policies appear to be identical.
When using region `us-east-2` or `ca-central-1`, the two policies are not identical.
`ELBSecurityPolicy-2015-05` has an additional cipher, `DHE-RSA-AES128-SHA`, that is not present in the output for `aws elbv2 describe-ssl-policies ELBSecurityPolicy-2016-08`.
I have not checked all regions.
Either the documentation or the security policies per region should be updated.
I used to have HTTPS working on my Beanstalk environment but in the attempt of allowing access to another service I messed up something and I can't get it working again. ATM my configuration is:
Elastic Beanstalk
* An active listener on port 443 with the appropriate certificate
* A process on port 80, Health check path: /
EC2 and Security groups:
* One security group allowing inbound from 443, 80 and 27017
* Outbound all ports all IPs
What I think I messed up:
How to determine the correct origin for the security groups?
Also, is there anything wrong on this setup? I read many guides, I am not going to terminate the https connections like explained in this guide
https://aws.amazon.com/premiumsupport/knowledge-center/elastic-beanstalk-https-configuration/
simply because I haven't done it before and it was working. Do I really need it?
thanks
M
Hello aws community,
I have an issue with a lambda in which I ended up returning the hardcoded response like shown below ...
response = {
"statusCode": 200,
"statusDescription": "200 OK",
"isBase64Encoded": false,
"headers": {
"Content-Type": "text/html"
},
"body": "<p>Test string returned from Lambda</p>"
}
return response;
I have played around with headers and content-types ...
Nothing seems to resolve the issue.
When checking the ELB logs I see ...
https 2023-01-24T20:04:03.214570Z app/************/*********** xxx.xxx.xxx.xxx:xxxxx - 0.008 0.538 0.000 502 - 1629 277 "GET https://*******************************************:443/*************** HTTP/1.1" "PostmanRuntime/7.29.2" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:**************************************** "Root=***************************" "*************************************" "arn:aws:acm:****************:certificate/******************************" 0 2023-01-24T20:04:02.667000Z "forward" "-" "LambdaInvalidResponse" "-" "-" "-" "-"
Does anyone have any ideas on how I could further troubleshoot this issue? Is there maybe a way to verify what the load balancer is receiving as a response from the lambda? I have tried logging what the lambda is returning. To me it seems correct and in line with what I find in forums that address similar topic.
Greetings,
Hamid K.
Hello, I created an Elastic Beanstalk application (node) that needs to connect to DocumentDB.
I also created the DocumentDB cluster, following this guide:
https://docs.aws.amazon.com/documentdb/latest/developerguide/connect-ec2.html
my problem is that I am not sure I should connect the Security Group to a EC2 instance, what happen if I decide to recreate the beanstalk environment? Should I maybe connect the Security Group to the Load Balancer? What's the best approach for this use case?
thanks
M
Is the HSTS policy controlled by ALB? I don't see any option. How to fix this? I'm not using API gateway.
On reviewing [this page](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies) for Application Load Balancers, it states that Security Policies `ELBSecurityPolicy-2015-05` and `ELBSecurityPolicy-2016-08` are identical.
However upon checking the output of `aws elbv2 describe-ssl-policies` for `ELBSecurityPolicy-2015-05` and `ELBSecurityPolicy-2016-08`, they are not identical.
`ELBSecurityPolicy-2015-05` has an additional cipher, `DHE-RSA-AES128-SHA`, that is not present in the output for `aws elbv2 describe-ssl-policies ELBSecurityPolicy-2016-08`.
Do the docs need to be updated?
Can someone explain the behaviour of network load balancer enabled in All available AZs and cross zone load balancer enabled ?
Context :
We have building a Tier-1 Service which is expected to be highly available and have low latency. Our infra choice was ECS fargate which was fronted by a Network load balancer, We have nlb registered in all available zones for regions (us-east-1, eu-west-1, ap-northeast-1 and us-west-2).
We are enabling cross zone load balancing too.
Questions:
1. How does NLB work with when enabled in All available AZs and cross zone load balancer enabled
2. How will it impact latency ? Should we remove cross zone load balancer ?
I have an angular and spring-boot application in the EKS cluster. My spring boot is connected to RDS in a private subnet in the same VPC as my cluster. I have created one alb ingress controller for my two deployment services. my frontend is in http://albdns/health and my backend is in http://albdns/user/app. How do I enable communication between the backend and frontend?
I have a service that is used to deploy a new EC2 instance behind an ELB. The code works fine most of the time but every once in a while I get an error "Target groups 'arn:aws:elasticloadbalancing:ca-central-arn:...' not found (Service: AmazonElasticLoadBalancing; Status Code: 400; Error Code: TargetGroupNotFound" when trying to register targets in the target group. Here is a code snippet:
```
AmazonElasticLoadBalancing client = AmazonElasticLoadBalancingClient.builder()
....
.build();
...
CreateTargetGroupRequest createTargetGroupRequest = new CreateTargetGroupRequest();
...
CreateTargetGroupResult targetGroupResult = client.createTargetGroup(createTargetGroupRequest);
TargetGroup targetGroup = targetGroupResult.getTargetGroups().stream().findFirst().orElse(null);
assert targetGroup != null;
RegisterTargetsRequest registerTargetsRequest = new RegisterTargetsRequest();
registerTargetsRequest.setTargetGroupArn(targetGroup.getTargetGroupArn());
...
client.registerTargets(registerTargetsRequest);
```
When I get the error and go to check the target groups in the AWS Console, I can see it is there but without any registered targets. Is this some obscure timing issue? Should I put in a delay between the target group creation and registering the targets? Would it be a good idea to try the operation again if it throws the TargetGroupNotFound exception?
Thanks for any suggestions.
Hello
We have a WAF rule which disallows certain IPs (based on geography). In our original configuration, we had:
**Global Accelerator --> Internet Facing ALB (w/ WAF integration) --> ECS cluster**
as part of a security review, we noticed that those ALB don't need to be Internet-facing, i.e., they could be Internal-facing and on Private Subnets.
The proposed config is:
**Global Accelerator --> Internal ALB --> ECS Cluster**
and we have shown this works. However, we also noticed *its possible to have WAF Integration with the Internal ALB.*
In this use case, is the WAF rule still effective? Will it still enforce the IP restrictions (seems that would only work if GA preserved the source IP)?
Thank you!
We are moving our application from Next11 to Next13 and deploying to Amplify. Before this we were using a customized cloudfront and Serverless to take care of all our redirects as we need some path to go to different application behind an ALB. We want to keep that behavior with Amplify Next13 application seems fine but the redirects just show:
```
502 ERROR
The request could not be satisfied.
CloudFront wasn't able to connect to the origin. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
Generated by cloudfront (CloudFront)
```
We cannot find a way to customize that Cloudfront distribution as amplify is deploying a managed one that we are not able to access through our console or cli to edit.
Is there a way to modify the behaviors for the rewrites and redirects or at least to be able to use a custom Cloudfront distribution for our amplify deployment so we can change the cache policy on the behaviors to make the redirect work as with our previous environment?