I have setup a website using ElasticBeanstalk having ELB
Security Group for ELB is configured for 80 & 443 from 0.0.0.0/0
Security Group for EB is configured for 80 & 443 from ELB
Route53 A record has alias pointing to ELB & it works properly
Yet my site is getting access using EB URL http://custom-env.xx.us-east-1.elasticbeanstalk.com/
How is it happening? To what does this URL points to?
Your EB security group policies allows connection from any host on port 80 and 443. Since, you are directly hitting the EB url its accessible(I'm not sure its using ELB for load balancing, more on this later). A record in route 53 is just pointing the URL http://custom-env.xx.us-east-1.elasticbeanstalk.com/ to your EB application.
To verify whether ELB is indeed used, check the ELB configuration, its should be pointing to your application.
Related
I just configure a NAT gateway for my elastic beanstalk, when i curl my port 80 from the localhost it works fine but when i try to access my elasticbeanstalk public endpoint i didn't get nothing from it, it just says "this site can't be reached".
i've configure to allow the port 80 from the security group, is there anything i have to do?
I have an MQTT broker running on my Ubuntu Server at port 1883 and a website running at port 80. I want to map my broker to broker.abc.com while my website to www.abc.com. What are the possible steps toward this problem?
Until now, I have tried to add a subdomain broker.mqtt.com in my GoDaddy control panel but it never worked.
For now, I can access my website and broker both at abc.com but I want to separate both of them.
This can be possible if you use 2 load balancer with 2 domain name, for this kind of problem AWS introduce Wildcards (means one hosted zone in Route 53 and you have subdomains related to that). Like abc.com will be your hosted zone and broker.abc.com, website.abc.com will be wildcards.
So One of the Load balancers will redirect your broker.abc.com to port no 1883 and other Loadbalancer will redirect to port no 80.
Your wildcards(subdomains) will be mapped to loadblancer.
I have created a HTTP load balancer to basically redirect from port 80 to port 8080. The server on my instance is running on port 8080.
I can connect to the server directly but the LB is not able to connect to the instance, both accessing the LB's IP directly and also the health check always fails. The instance group the LB is using consist of just that single instance.
I read Google Compute Engine health checks failing
and the google-address-manager is running. However, when running ip route table list local there is no routing for my LB. The user in the above question is using Network load balancing and not HTTP load balancing (as I am) so I don't know if that is related?
Or perhaps it's related to a firewall? I have added my LB's ip address to a firewall rule that allows tcp:8080
Does anybode have any idea how can I fix this? I am not experienced with debian nor gcp.
Show I just try and run the route add command referenced in the above question? If so, how come the google-address-manager is not adding the route?
Thank you in advance!
You need to make sure that your port mapping on instance group is set to correct port, the 8080 in your case.
First, edit your instance group and change the port name and port to 8080:
Then, navigate to your http backend's settings and change the default port to the port name you've configured in your instance group.
Finally, make sure that your firewall rules allow access on port 8080 from 0.0.0.0/0 or at least from the IP address of HTTP load balancer (130.211.0.0/22)
I had the same issue and fixed it by adding a firewall rule for the health checker (which is not the same IP as your LB!). See https://cloud.google.com/compute/docs/load-balancing/health-checks?hl=en_US#http_and_https_load_balancing for instructions.
In my case, I did not configure the HTTP health check correctly.
I used "/" as path, but on my backend, "/" redirects to a login-page (HTTP 301), which responds with a HTTP 200.
The health check does not follow a redirect, every HTTP response code != 200 is assumed unhealthy (from Debugging Health Checks in Load Balancing on Google Compute Engine).
So, I changed my path to "/login", this fixed my issue.
I have an elastic beanstalk setup but the url that's listed in the environment is not accessible, whereas if I point to the url of the load balancer I can access it.
Any suggestions ?
Attach the LoadBalancer security group to the instance. For me it worked. I found ELB has different security group that is not attached to instance.
Or you can create one Security Group with HTTP port 80 open and attach it to ELB and Instance from the beanstalk configuration
Go to Elastic Beanstalk configuration then go to VPC settings. Check the "Associate Public IP Address". Then it worked for me.
We have a system running on Amazon's Beanstalk.
We would like to limit access to the server to HTTPS only.
When blocking HTTP on the environment settings - it prevents accessing through the beanstalk DNS.
However, if someone knows the public IP (or name) of any of the servers - he can access them directly through HTTP. It seems that the LB forwards the requests to port 80, so we can not change the security group and remove port 80.
Is there a simple way, to limit HTTP access to be only from the LB?
Thanks
You should be able to do this through EC2 Security Groups, which is an Elastic Beanstalk environment property.
By default this allows connections to port 80 from any IP address, but you could remove that rule or replace it with your own IP address (for testing purposes).
Failing that, you could reroute all HTTP traffic to HTTPS at the application level or simply test the CGI property *server_port_secure* and refuse to answer.
Yes, you need http/80 to be open for health-check to work. The option for you is to redirect all the other requests (except the health check URL) to use https - This way though the port is open, you "dont serve any data in an insecure way".
You have at least two options:
1 - set the Security Group Policy that allows access on port 80 from the Load Balancer only. IMPORTANT!!! Do not use the Load balancer IP in the instances' security group. Use the Load balancer security group ID instead.
2 - remove the public IPs from the instances. You should be good if all your EC2 instances have a private IPs and the ELB has a public IP.