ELB with Private EC2 Instances

I am unable to successfully configure private EC2 with ELB/ASG configuration. SGs are configured properly. ELB is attached to 2 public subnet and EC2 instances to 2 private subnets and both public/private subnets are in same VPC. When EC2 instances are initialized, the status is "unhealthy" under the respective target group.

When i move the EC2 instances in public subnets, all work fine.

Any pointers or ideas are appreciated.

thanks
  • post-author-pic
    Tia W
    01-23-2019

    Hello  @inder76  Please check the NACL for the private subnet as well to ensure the appropriate ports are allowed as well.    Remember that NACLs have separate rules for inbound and outbound communication.

  • post-author-pic
    Inderpal S
    01-23-2019

    Hi Tia - thanks for the note. My current NACL has implicit allow for "All traffic". pls also note that i am able to ping the private EC2 instances from another EC2 instance in public subnet.

  • post-author-pic
    Alisha R
    01-24-2019

    Hi  @inder76  - Are you using the default vpc or a custom vpc? If you are using a custome vpc go back and check and confirm all your security groups, nacl's, etc are in the same vpc.  I had an issue where, when you deploy a new launch configuration and select to create a security group, AWS "assumes" it is for the default vpc which was wrong in my case.  I had to create the security group first and specify the correct vpc, then do the Launch Configuration and pick an existing security group. 

  • post-author-pic
    Inderpal S
    01-24-2019

    Hi @devyshka - thanks for your suggestions. I have checked one more time that all NACLs and SGs are in the custom VPC (yes i am using custom VPC). both NACL and SGs have implicit allow inbound/outboud at this time. when EC2 intances are placed in public subnet of the custom VPC, it works fine. Issue is seen with EC instances in private subnets and ELB is public. I can ping from public to private between EC2 instances. I am running out of ideas as everything seems fine from configuration side.
    thanks

Looking For Team Training?

Learn More