Accessing AWS EC2 instances through ELB

Svend Hansen picture Svend Hansen · Feb 24, 2012 · Viewed 17.4k times · Source

I'm trying to set up two instances under an elastic load balancer, but cannot figure out how I'm supposed to access the instances through the load balancer.

I've set up the instances with a security group to allow access from anywhere to certain ports. I can access the instances directly using their "Public DNS" (publicdns) host name and the port PORT:

http://[publicdns]:PORT/

The load balancer contains the two instances and they are both "In Service" and it's forwarding the port (PORT) onto the same port on the instances.

However, if I request

http://[dnsname]:PORT (where dnsname is the A Record listed for the ELB)

it doesn't connect to the instance (connection times out).

Is this not the correct way to use the load balancer, or do I need to do anything to allow access to the load balancer? The only mention of security groups in relation to the load balancer is to restrict access to the instances to the load balancer only, but I don't want that. I want to be able to access them individually as well.

I'm sure there's something simple and silly that I've forgotten, not realised or done wrong :P

Cheers, Svend.


Extra info added:

The Port Configuration for the Load Balancer looks like this (actually 3 ports):

10060 (HTTP) forwarding to 10060 (HTTP) Stickiness: Disabled(edit)

10061 (HTTP) forwarding to 10061 (HTTP) Stickiness: Disabled(edit)

10062 (HTTP) forwarding to 10062 (HTTP) Stickiness: Disabled(edit)

And it's using the standard/default elb security group (amazon-elb-sg).

The instances have two security groups. One external looking like this:

22 (SSH)          0.0.0.0/0
10060 - 10061 0.0.0.0/0
10062              0.0.0.0/0

and one internal, allowing anything within the internal group to communicate on all ports:

0 - 65535 sg-xxxxxxxx (security group ID)

Not sure it makes any difference, but the instances are m1.small types of image ami-31814f58.


Something that might have relevance:

My health check used to be HTTP:PORT/ but the load balancer kept saying that the instances were "Out of Service", even though I seem to get a 200 response on the request on that port.

I then changed it to TCP:PORT and it then changed to say they were "In Service".

Is there something very specific that should be returned for the HTTP one, or is it simply a HTTP 200 response that's required? ... and does the fact that it wasn't working hint towards why the load balancing itself wasn't working either?

Answer

bwight picture bwight · Feb 24, 2012

It sounds like you have everything set up correctly. Are they the same ports going into the loadbalancer as the instance? Or are you forwarding the request to another port?

As a side note, when I configure my loadbalancers I don't generally like to open up my instances on any port for the general public. I only allow the loadbalancer to make requests to those instances. I've noticed in the past that many people will make malicious requests to the IP of the instance trying to find a security breach. I've even seen people trying to brute force login into my windows machines....

To create a security rule only for the loadbalancers run the following commands and remove any other rules you have in the security-group for the port the loadbalancer is using. If you're not using the commandline to run these commands then just let me know which interface you're trying to use and i can try to come up with a sample that will work for you.

elb-create-lb-listeners <load-balancer> --listener "protocol=http, lb-port=<port>, instance-port=<port>"
ec2-authorize <security-group>  -o amazon-elb-sg -u amazon-elb

Back to your question. Like I said, the steps you explained are correct, opening the port on the instance and forwarding the port to the instance should be enough. Maybe you need to post the full configuration of your instance's security group and the loadbalancer so that I can see if there is something else affecting your situation.