Network problems when I create Beanstalk environments from an AMI

amazon-beanstalkamazon-vpcelastic-beanstalksecurity-groups

I'm using AWS elastic beanstalk web interface to create an environment based on an existing AMI that has our application deployed on it.

The environment gets created, the app is accessible via the ec2 instance's IP. however the environment's health keeps as "Pending" for 15 minutes then degrades to Severe after that with these errors in the environment's log:

2017-10-22 15:57:50 UTC+0300 INFO Launched environment: Winfooztest->env-6. However, there were issues during launch. See event log for >details.

2017-10-22 15:57:49 UTC+0300 ERROR The EC2 instances failed to >communicate with AWS Elastic Beanstalk, either because of configuration >problems with the VPC or a failed EC2 instance. Check your VPC >configuration and try launching the environment again.
2017-10-22 15:57:49 UTC+0300 ERROR Stack named 'awseb-e-ypy7mg2pta->stack' aborted operation. Current state: 'CREATE_FAILED' Reason: The >following resource(s) failed to create[AWSEBInstanceLaunchWaitCondition].

2017-10-22 15:56:16 UTC+0300 WARN Environment health has >transitioned from Pending to Severe. Initialization in progress (running >for 16 minutes). None of the instances are sending data.

2017-10-22 15:41:48 UTC+0300 INFO Created CloudWatch alarm named: >awseb-e-ypy7mg2pta-stack-AWSEBCloudwatchAlarmHigh-QVXFWC3HZS5S

So what I understood here is that the instance is created, but it's failing to communicate with elastic beanstalk. In contrast to common security sense, and in order to pinpoint the problem, I've tried to keep my VPC setting as public as possible. Here is what I did:

VPC type: Created a "VPC with a single public subnet"

IPv4 CIDR block: 10.0.0.0/16

Public subnet's IPv4 CIDR: 10.0.0.0/24

Visibility: public

Checked the option to have a public IP address for the VPC

Security group – Inbound: ALL Traffic|ALL|ALL|0.0.0.0/0

Security group – Outbound: ALL Traffic|ALL|ALL|0.0.0.0/0

Environment is configured to use a load balancer.

No luck.

I know there is a small networking tweak that I need to do. I've scratched my head (and my search engine) a lot. What am I missing? Can you help?

Best Answer

Elastic Beanstalk expects certain scripts to be in your AMI. This scripts are executed by Beanstalk during different lifecycle events like application deployment and shutdown. Without those scripts there is no way for Beanstalk to communicate with your instance.

Best approach here is to build your AMI using packer https://www.packer.io from one of preconfigured templates http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/custom-platforms.html

Elastic Beanstalk uses a standardized directory structure for hooks, which are scripts that are run during lifecycle events and in response to management operations: when instances in your environment are launched, or when a user initiates a deployment or uses the restart application server feature.

Hooks are organized into the following folders:

appdeploy — Scripts run during an application deployment. Elastic Beanstalk performs an application deployment when new instances are launched and when a client initiates a new version deployment. configdeploy — Scripts run when a client performs a configuration update that affects the software configuration on-instance, for example, by setting environment properties or enabling log rotation to Amazon S3. restartappserver — Scripts run when a client performs a restart app server operation. preinit — Scripts run during instance bootstrapping. postinit — Scripts run after instance bootstrapping.

Related Topic