Elastic beanstalk launched inside of the VPC is having issues launching

amazon-vpcamazon-web-serviceselastic-beanstalk

I am having issues launching an Elastic Beanstalk application inside my VPC that I created.

My VPC looks like the following:

id:  vpc-a1b
name: vpc-green
cidr:  10.0.0.0/16
route table: rtb-1ab
acl: acl-123

I then have 6 subnets:

vpc-green-public-us-east-2a (rt: vpc-green-rt-public)
vpc-green-public-us-east-2b (rt: vpc-green-rt-public)
vpc-green-public-us-east-2c (rt: vpc-green-rt-public)

vpc-green-private-us-east-2a (each has its own rt)
vpc-green-private-us-east-2b
vpc-green-private-us-east-2c

Route tables:

vpc-green-rt-public
    10.0.0.0/16     local
    0.0.0.0/0           igw-123

vpc-green-rt-private-us-east-2a
    10.0.0.0/16     local
    0.0.0.0/0           nat-001

Internet Gateway:

vpc-green-igw

ACL:

vpc-green-acl
    inbound:
        100     ALL/All/All 0.0.0.0/0  ALLOW
        *           All/All/All 0.0.0.0/0  DENY

    outbound:
        100     ALL/All/All 0.0.0.0/0  ALLOW
        *           All/All/All 0.0.0.0/0  DENY 

    associated subnets: all 6 (public and private)

Security Groups:

vpc-green-default
    inbound:
        All/All/All  sg-a123 (self)
    outbound:
        All/All/All  0.0.0.0/0

vpc-green-web
    inbound:
        tcp, 80, 0.0.0.0/0
        tcp, 443, 0.0.0.0/0     
        icmp, All, 0.0.0.0/0
        all, all, all, 0.0.0.0/0
    outbound:
        UDP, 123, 0.0.0.0/0
        all/all/all, 0.0.0.0/0


EB-Load-balancer
    inbound:
        tcp, 80, 0.0.0.0/0
    outbound:
        tcp, 80, 0.0.0.0/0

EB-VPC-Security
    inbound:
        tcp, 80, source=EB-load-balander
    outbound:
        all, all, 0.0.0.0/0

The actual ec2 instance that ElasticBeanstalk creates looks like:

t2.small
security groups:
    vpc-green-web
    EB-VPC-Security
subnet:
    one of my public subnets (vpc-green-public-us-east-2a)

The load balancer that EB created looks like:

security groups:
    EB-load-balancer
subnet:
    one of my public subnets (vpc-green-public-us-east-2a)

I am getting an error:

The EC2 instances failed to communicate with AWS Elastic Beanstalk, either because of configuration problems with the VPC or a failed EC2 instance. Check your VPC configuration and try launching the environment again.

    Stack named 'awseb-e-xxxxx-stack' aborted operation. Current state: 'CREATE_FAILED' Reason: The following resource(s) failed to create: [AWSEBInstanceLaunchWaitCondition].

There is a help page here: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/events.common.connectivity.html

It says that "… this means the Amazon EC2 instances did not communicate to Elastic Beanstalk that they were launched successfully."

Given the above information, what exactly is the problem?

I am not sure how I can fix this as it looks fine to me.

If I visit the url that EB generates it does not work:

xxxxx.us-east-2.elasticbeanstalk.com is currently unable to handle this request.

Best Answer

So the problem ended up being that my DNS hostname and support in my VPC settings was not set to True.

Aws supported paid for itself today folks!

Related Solutions

EC2 cannot connect to RDS on VPC. Subnet issues

Since RDS requires you to have two availability zones when deploying in a VPC, you need to make sure that beanstalk is able to get to both of them via Network ACLs as well as the permissions for the instance based security groups.

Only your ELB and your NAT instance/NAT gateway need to be public subnets, everything else should be in private subnets.

Security groups are stateful and network groups are stateless so while you only need to allow inbound rules for the security groups, you need to allow BOTH inbound and outbound ports from your beanstalk subnet to both RDS subnets using Network ACLs. See Security in Your VPC.

Here is a sample eb create to create the beanstalk environment (replace square bracketed strings):

eb create [BEANSTALK_ENVIRONMENT] --instance_type m3.medium --branch_default --cname [BEANSTALK_CNAME] --database --database.engine postgres --database.version [x] --database.size 100 --database.instance db.m4.large --database.password xxxxxxxxx --database.username ebroot --instance_profile [BEANSTALK_EC2_IAM_PROFILE] --keyname [SSH_KEY_NAME] --platform "64bit Amazon Linux 2015.03 v1.3.0 running Ruby 2.2" --region us-east-1 --tags tag1=value1,tag2=value2 --tier webserver --verbose --sample --vpc.id [vpc-xxxxxx] --vpc.dbsubnets [subnet-db000001,subnet-db000002] --vpc.ec2subnets [subnet-ec200001] --vpc.elbsubnets [subnet-elb00001] --vpc.elbpublic --vpc.securitygroups [sg-00000001] --sample --timeout 3600

subnet-db000001 NETWORK ACL RULES:

Inbound: Port Range: 5432, Source [subnet-ec200001 (as ip range)], Allow
Outbound: Port Range: 5432, Source [subnet-ec200001 (as ip range)], Allow

subnet-db000002 NETWORK ACL RULES:

Inbound: Port Range: 5432, Source [subnet-ec200001 (as ip range)], Allow
Outbound: Port Range: 5432, Source [subnet-ec200001 (as ip range)], Allow

subnet-ec200001 NETWORK ACL RULES:

Inbound: Port Range: 5432, Source [subnet-db000001 (as ip range)], Allow
Inbound: Port Range: 5432, Source [subnet-db000002 (as ip range)], Allow
Outbound: Port Range: 5432, Source [subnet-db000001 (as ip range)], Allow
Outbound: Port Range: 5432, Source [subnet-db000002 (as ip range)], Allow

subnet-elb00001 NETWORK ACL RULES:

Inbound: Port Range: 80, Source 0.0.0.0/0, Allow
Inbound: Port Range: 443, Source 0.0.0.0/0, Allow
Outbound: Port Range: 80, Source 0.0.0.0/0, Allow
Outbound: Port Range: 443, Source 0.0.0.0/0, Allow

An additional note about Network ACLs -- many services don't respond on the original port but use an ephemeral port. So you may have to add the following to the inbound AND outbound network ACLs for subnets with EC2 instances:

Outbound: Port Range: 1024-65535, Source 0.0.0.0/0, Allow
Outbound: Port Range: 1024-65535, Source 0.0.0.0/0, Allow

There are also several useful scenarios in Recommended Network ACL Rules for Your VPC.

I hope this helps.

Permissions for EC2 created by Elastic Beanstalk connecting to external RDS

There seemed to be two missing points in the configuration:

I had to recreate the Elastic Beanstalk environment to be inside of the same Virtual Private Cloud (VPC) as the RDS database. This can be done by:
```
eb create myapp-staging --vpc
```

and then answering some questions like what is the VPC id.

I had to enter VPC CIDR (IP) to the allowed incoming connections for MySQL for "rds-launch-wizard" security group:

a) Go to VPC Dashboard -> Your VPCs and copy VPC CIDR.

b) Go to VPC Dashboard -> Security Groups and select the "rds-launch-wizard" group, then edit the Inbound Rules and add this rule:
```
MySQL/Aurora (3306) | TCP (6) | 3306 | <VPC CIDR here>
```

Best Answer

Related Solutions

EC2 cannot connect to RDS on VPC. Subnet issues

Permissions for EC2 created by Elastic Beanstalk connecting to external RDS

Related Topic