Support Automation Workflow (SAW) Runbook: Troubleshoot Classic Load Balancer

4 分的閱讀內容
內容層級:中級
0

How can I use the AWSSupport-TroubleshootCLBConnectivity AWS Systems Manager automation runbook to troubleshoot my Classic Load Balancer?

In this article, I will show you how to use the AWSSupport-TroubleshootCLBConnectivity, AWS Systems Manager (SSM) automation runbook to troubleshoot your Classic Load Balancer (CLB).

Learn more about Support Automation Workflows >>

How it works?

The AWSSupport-TroubleshootCLBConnectivity can help you troubleshoot connectivity issues between your CLB listeners and its registered EC2 instances by checking the network Access Control Lists (ACL) and security groups, comparing the CLB configuration against best practices, or creating an Amazon CloudWatch dashboard you can use to monitor HTTP response errors, latency, and the health of the registered EC2 instances.

When running the AWSSupport-TroubleshootCLBConnectivity automation, you can choose from three options: Connectivity Issues, Best Practices, or Troubleshooting Dashboard:

The Connectivity Issues option checks for any potential connectivity issue between the Load Balancer listeners and its target instances by analyzing:

  • The network ACLs associated with the subnets for your instances:
    • Check for required traffic not allowed between the CLB and other subnets within the same CLB Virtual Private Cloud (VPC).
    • Check for invalid ephemeral, load balancer, instance, and health check port traffic configuration.
  • The security groups associated with the EC2 instances and the CLB:
    • Check for valid inbound/outbound rules to and from the CLB and its registered EC2 instances within the same CLB VPC.
    • Check for invalid load balancer, instance, and health check ports traffic.

The Best Practices option checks if the CLB configuration adheres to the following best practices:

  • High Availability: Multiple Availability Zones and cross-zone balancing is enabled.
  • There are healthy instances on each Availability Zone.
  • Secure Listeners: HTTPS/SSL listeners present and latest security policy enabled.
  • Access Logs are enabled.

The Troubleshooting Dashboard option creates an Amazon CloudWatch Dashboard for your CLB that included HTTP response 5XX and 4XX errors, latency, and the health of the registered instances.

A successful runbook execution will show you the output of any of the executed actions. Optionally, you can specify a non-publicly accessible Amazon Simple Storage Service (Amazon S3) bucket as part of the input parameters to upload the output results.

Prerequisites

Before running the automation make sure your IAM user or the role has the permissions listed in the Required IAM permissions section.

Instructions

  1. Navigate to the Systems Manager console .
  2. In the navigation pane, choose Documents.
  3. In the search bar, type the following AWSSupport-TroubleshootCLBConnectivity.
  4. Select AWSSupport-TroubleshootCLBConnectivity document.
  5. Click on Execute automation.
  6. For the input parameters enter the following:
    • AutomationAssumeRole (optional): This is the Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation will use the permissions of the user that starts this runbook.
    • LoadBalancerName (required): The name of the CLB to target.
    • InvestigationType (required): The type of action you want to perform. Valid values: Best Practices | Connectivity Issues | Troubleshooting Dashboard.
    • S3Location (optional): This is the name of your Amazon Simple Storage Service (S3) Bucket. Supplying this value will allow the Automation to store the execution results to the bucket as a text file. If no bucket name is supplied, then results are not stored.

The following example demonstrates how to use the AWSSupport-TroubleshootCLBConnectivity automation runbook to run Connectivity Issues checks between your CLB and EC2 instances.

The runbook input parameters

  1. Click on Execute.
  2. You should see that the automation has been initiated.
  3. Once completed, you can review the Outputs section to see a summary of the connection results.

Execution detail: AWSSupport-TroubleshootCLBConnectivity

  1. You can also review the specific action output by selecting the RunConnectivityChecks step in the Executed steps section for both a brief summary results of the execution and detailed output:

Execution detail: Run =ConnectivityChecks

For the other investigation types, Best Practices and Troubleshooting Dashboard, you can follow the same steps to execute those workflows as well.

Conclusion

In this article, I demonstrated how to troubleshoot connectivity issues on a Classic Load Balancer by using the SSM Automation runbook AWSSupport-TroubleshootCLBConnectivity, available in the System Manager.

References

Systems Manager Automation

Run this Automation (console)

Running a simple automation: https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-working-executing.html

Setting up Automation: https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-setup.html

Documentation related to the AWS service

For more information how to run this runbook, please see the AWS public document: AWSSupport-TroubleshootCLBConnectivity.

To help you troubleshoot, remediate, manage, and reduce costs on your AWS resources, AWS Support maintains a subset of the AWS provided predefined runbooks . These runbooks are prefixed with “AWSSupport-“ or “AWSPremiumSupport-“.