AWS – Can an EC2 Instance Have Two Public Subnets for Creating a Load Balancer?

amazon ec2amazon-web-servicesload balancingsubnet

So I eventually want to set up a classic load balancer on AWS and I have a VPC with 2 public subnets, but now I am not sure if I can use those two subnets for that one EC2 instance or do I need two ec2 instances?

Best Answer

Some thoughts:

What's the point of a load balancer with only one instance? If you scale down to one instance that would make sense, but planning for only one instance all the time would have minimal benefits. Load balancers do offer benefits, they're a reverse proxy that offer your instance some protection against internet based threats.
Technically you can load balancer to one or more instances
Classic load balancer is not often used these days, best select from the more modern ALB / NLB unless you have a really odd edge case they can't cater for

Related Solutions

Can’t access AWS ec2 instance behind elastic load balancer

If the status check is returning a 401, AWS sees the instance as unhealthy and takes it out of the ELB. Since you have no healthy instances, the ELB is down.

Note that AWS accesses /heartbeat.php via IP, not via DNS name. Check the response using curl -I http://<your instance IP>/heartbeat.php and adjust your server config if it's not being served by the default virtualhost.

AWS VPC Public Private Subnets – EC2 Instance cannot reach RDS instance

f you know any thing about this (maybe you are a network engineer) you probably see right away what the problem is.
The problem is rooted in these concepts:

Ephemeral ports
Stateless and Stateful
Connection Tracking
NACLs are Stateless
Security Groups are Stateful

Read about it here:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

https://en.wikipedia.org/wiki/Ephemeral_port

The corrected confiuration is below. The change that really corrected the connectivity between the Public and Private subnets was enabling response traffic on the Ephemeral ports for both In Bound Public subnet NACL and Out Bound Private subnet NACL rules. I also cleaned up some redundant and insecure Out Bound rules in the NACLS and Security Groups.

VPC NACL

In Bound
80  0.0.0.0/0 Allow
Out Bound
32768-65535 0.0.0.0/0 Allow

Public Subnet NACL

InBound
80  0.0.0.0/0 Allow
32768-65535 172.30.4.0/0 Allow
Out Bound
32768-65535 0.0.0.0/0 Allow
5432    172.30.4.0/24 Allow (PostgreSQL)

Private Subnet NACL

InBound
5432    172.30.1.0/24 Allow
Out Bound
32768-65535 172.30.1.0/24 Allow

VPC Security Group

InBound
80  VPC-Security-Group-ID Allow
Out Bound

Public Subnet Security Group

InBound
80  0.0.0.0/0 Allow
Out Bound
5432    172.30.4.0/0 Allow

Private Subnet Security Group

InBound
5432    172.30.1.0/24 Allow
Out Bound

This is a working configuration. Hopefully this helps someone. If you see anyhting that can be improved let me know and let me know if you have questions.

Best Answer

Related Solutions

Can’t access AWS ec2 instance behind elastic load balancer

AWS VPC Public Private Subnets – EC2 Instance cannot reach RDS instance

Related Topic