我和我的队友刚刚在 VPC 中实施了 ELB,该 VPC 在不同的可用区中有 2 个私有子网。超时的原因是,对于添加到负载均衡器的每个子网,它都会获得一个外部 IP 地址。 (尝试“dig elb-dns-name-here”,您将看到几个 IP 地址)。如果这些 IP 地址之一映射私有子网,则会超时。映射到您的公共子网的 IP 将起作用。由于 DNS 可能会为您提供任一 IP 地址,因此有时有效,有时会超时。
经过与亚马逊反复讨论后,我们发现 ELB 只能放置在“公共”子网中,即具有通往 Internet 网关的路由的子网。我们希望将 Web 服务器保留在私有子网中,但允许 ELB 与它们通信。为了解决这个问题,我们必须确保每个拥有私有子网的可用区域都有一个相应的公共子网。然后,我们将每个可用区的公共子网添加到 ELB 中。
My teammate and I just have implemented ELB in a VPC with 2 private subnets in different availability zones. The reason you get timeouts is that for each subnet you add to the load balancer, it gets one external IP address. (try 'dig elb-dns-name-here' and you will see several IP addresses). If one of these IP address maps a private subnet, it will timeout. The IP that maps into your public subnet will work. Because DNS may give you any one of the IP addresses, sometimes it works, sometimes it times out.
After some back and forth with amazon, we discovered that the ELB should only be placed in 'public' subnets, that is subnets that have a route out to the Internet Gateway. We wanted to keep our web servers in our private subnets but allow the ELB to talk to them. To solve this, we had to ensure that we had a corresponding public subnet for each availability zone in which we had private subnets. We then added to the ELB, the public subnets for each availability zone.
At first, this didn't seem to work, but after trying everything, we recreated the ELB and everything worked as it should. I think this is a bug, or the ELB was just in an odd state from so many changes.
Here is more or less what we did:
WebServer-1 is running in PrivateSubnet-1 in availability zone us-east-1b with security group called web-server.
WebServer-2 is running in PrivateSubnet-2 in availability zone us-east-1c with security group called web-server.
Created a public subnet in zone us-east-1b, we'll call it PublicSubnet-1. We ensured that we associated the routing table that includes the route to the Internet Gateway (ig-xxxxx) with this new subnet. (If you used the wizard to create a public/private VPC, this route already exists.)
Created a public subnet in zone us-east-1c, we'll call it PublicSubnet-2. We ensured that we associated the routing table that includes the route to the Internet Gateway (ig-xxxxx) with this new subnet. (If you used the wizard to create a public/private VPC, this route already exists.)
Created a new ELB, adding to it PublicSubnet-1 and PublicSubnet-2 (not the PrivateSubnet-X). Also, picked the instances to run in the ELB, in this case WebServer-1 and WebServer-2. Made sure to assign a security group that allows incoming port 80 and 443. Lets call this group elb-group.
In the web-server group, allow traffic from port 80 and 443 from the elb-group.
The key here is understanding, that you are not "Adding subnets/availability zones" to ELB, but rather specifying what subnets to put ELB instances into.
Yes, ELB is a software load balancer and when you create ELB object, a custom loadbalancing EC2 instance is put into the all subnets that you specified. So for the ELB (its instances) to be accessible, they have to be put into the subnets that have default route configured via IGW (most likely you classified these subnets as public).
So as already was answered above, you have to specify "public" networks for ELB, and those networks should be from the AZs where your EC2 instances are running. In this case ELB instances will be able to reach your EC2 instances (as long as security groups are configured correctly)
We've implemented ELB in a private subnet so the statement that all ELB's need to be public isn't completely true. You do need a NAT. Create a private subnet for the private ELB's, turn on VPC DNS and then make sure the private routing table is configured to go through the NAT. The subnet security groups also need to be setup to allow traffic between ELB and App, and App to DB subnets.
Beanstalk health checks won't work as they can't reach the load balancer, but for services that need to be outside of the public reach this is a good compromise.
发布评论
评论(5)
我和我的队友刚刚在 VPC 中实施了 ELB,该 VPC 在不同的可用区中有 2 个私有子网。超时的原因是,对于添加到负载均衡器的每个子网,它都会获得一个外部 IP 地址。 (尝试“dig elb-dns-name-here”,您将看到几个 IP 地址)。如果这些 IP 地址之一映射私有子网,则会超时。映射到您的公共子网的 IP 将起作用。由于 DNS 可能会为您提供任一 IP 地址,因此有时有效,有时会超时。
经过与亚马逊反复讨论后,我们发现 ELB 只能放置在“公共”子网中,即具有通往 Internet 网关的路由的子网。我们希望将 Web 服务器保留在私有子网中,但允许 ELB 与它们通信。为了解决这个问题,我们必须确保每个拥有私有子网的可用区域都有一个相应的公共子网。然后,我们将每个可用区的公共子网添加到 ELB 中。
起初,这似乎不起作用,但在尝试了一切之后,我们重新创建了 ELB,一切都按预期工作。我认为这是一个错误,或者 ELB 只是由于如此多的变化而处于奇怪的状态。
我们所做的或多或少如下:
My teammate and I just have implemented ELB in a VPC with 2 private subnets in different availability zones. The reason you get timeouts is that for each subnet you add to the load balancer, it gets one external IP address. (try 'dig elb-dns-name-here' and you will see several IP addresses). If one of these IP address maps a private subnet, it will timeout. The IP that maps into your public subnet will work. Because DNS may give you any one of the IP addresses, sometimes it works, sometimes it times out.
After some back and forth with amazon, we discovered that the ELB should only be placed in 'public' subnets, that is subnets that have a route out to the Internet Gateway. We wanted to keep our web servers in our private subnets but allow the ELB to talk to them. To solve this, we had to ensure that we had a corresponding public subnet for each availability zone in which we had private subnets. We then added to the ELB, the public subnets for each availability zone.
At first, this didn't seem to work, but after trying everything, we recreated the ELB and everything worked as it should. I think this is a bug, or the ELB was just in an odd state from so many changes.
Here is more or less what we did:
这里的关键是理解,您不是向 ELB“添加子网/可用区”,而是指定将 ELB 实例放入哪些子网。
是的,ELB 是一个软件负载均衡器,当您创建 ELB 对象时,自定义负载均衡 EC2 实例将被放入您指定的所有子网中。因此,为了使 ELB(其实例)可访问,必须将它们放入通过 IGW 配置默认路由的子网中(很可能您将这些子网分类为公共子网)。
因此,正如上面已经回答的那样,您必须为 ELB 指定“公共”网络,并且这些网络应该来自运行 EC2 实例的可用区。在这种情况下,ELB 实例将能够访问您的 EC2 实例(只要安全组配置正确)
The key here is understanding, that you are not "Adding subnets/availability zones" to ELB, but rather specifying what subnets to put ELB instances into.
Yes, ELB is a software load balancer and when you create ELB object, a custom loadbalancing EC2 instance is put into the all subnets that you specified. So for the ELB (its instances) to be accessible, they have to be put into the subnets that have default route configured via IGW (most likely you classified these subnets as public).
So as already was answered above, you have to specify "public" networks for ELB, and those networks should be from the AZs where your EC2 instances are running. In this case ELB instances will be able to reach your EC2 instances (as long as security groups are configured correctly)
我们已经在私有子网中实现了 ELB,因此所有 ELB 都需要公开的说法并不完全正确。你确实需要一个 NAT。为私有 ELB 创建私有子网,打开 VPC DNS,然后确保将私有路由表配置为通过 NAT。还需要设置子网安全组以允许 ELB 和应用程序之间以及应用程序到数据库子网之间的流量。
Beanstalk 运行状况检查将无法工作,因为它们无法到达负载均衡器,但对于需要不在公共范围内的服务,这是一个很好的折衷方案。
建议阅读以开始您的 VPC 架构:http://blog.controlgroup.com/2013/10/14/guided-creation-of-cloudformation-templates-for-vpc/。
We've implemented ELB in a private subnet so the statement that all ELB's need to be public isn't completely true. You do need a NAT. Create a private subnet for the private ELB's, turn on VPC DNS and then make sure the private routing table is configured to go through the NAT. The subnet security groups also need to be setup to allow traffic between ELB and App, and App to DB subnets.
Beanstalk health checks won't work as they can't reach the load balancer, but for services that need to be outside of the public reach this is a good compromise.
Suggested reading to get your VPC architecture started: http://blog.controlgroup.com/2013/10/14/guided-creation-of-cloudformation-templates-for-vpc/.
您必须添加以下设置。
技巧在于路由:
ELB 详细信息:
1.Zone:公共子网区域 c
2.实例:服务器Web
3.安全组:启用端口
http://docs.amazonaws.cn/ en_us/ElasticLoadBalancing/latest/DeveloperGuide/UserScenariosForVPC.html
You must add the following settings.
The trick is routing:
ELB details:
1.Zone: Public subnet zone c
2.Instance: Server Web
3.Security Groups: enable ports
http://docs.amazonaws.cn/en_us/ElasticLoadBalancing/latest/DeveloperGuide/UserScenariosForVPC.html
在内森的答案中添加图表。完整的中等帖子:https://nav7neeet.medium .com/load-balance-traffic-to-private-ec2-instances-cb07058549fd
Adding a diagram to Nathan's answer. Full medium post here: https://nav7neeet.medium.com/load-balance-traffic-to-private-ec2-instances-cb07058549fd