通过ELB访问AWS EC2实例
我试图在弹性负载均衡器下设置两个实例,但无法弄清楚应该如何通过负载均衡器访问这些实例。
我已经使用安全组设置了实例,以允许从任何地方访问某些端口。我可以使用实例的“公共 DNS”(publicdns) 主机名和端口 PORT 直接访问实例:
http://[publicdns]:PORT/
负载均衡器包含两个实例,它们都“正在服务”并且正在转发端口 (PORT) 到实例上的同一端口。
但是,如果我请求
http://[dnsname]:PORT(其中 dnsname 是为 ELB 列出的 A 记录),
它不会连接到实例(连接超时)。
这不是使用负载均衡器的正确方法,还是我需要执行任何操作才能允许访问负载均衡器?与负载均衡器相关的安全组唯一提到的是将实例的访问限制为负载均衡器,但我不希望这样做。我也希望能够单独访问它们。
我确信有一些简单而愚蠢的事情我已经忘记了,没有意识到或做错了:P
干杯, 斯文德。
添加了额外信息:
负载均衡器的端口配置如下所示(实际上是 3 个端口):
10060 (HTTP) 转发到 10060 (HTTP) 粘性:已禁用(编辑)
10061 (HTTP) 转发到 10061 (HTTP) 粘性:已禁用(编辑)
10062 (HTTP) 转发到 10062 (HTTP) 粘性:已禁用(编辑)
并且它使用标准/默认 elb 安全组 (amazon-elb-sg)。
这些实例有两个安全组。一个外部看起来像这样:
22 (SSH) 0.0.0.0/0
10060 - 10061 0.0.0.0/0
10062 0.0.0.0/0
和一个内部,允许内部组内的任何内容在所有端口上进行通信:
0 - 65535 sg-xxxxxxxx(安全组 ID)
不确定它有什么区别,但实例是 m1.small 类型图像 ami-31814f58。
可能相关的事情:
我的运行状况检查曾经是 HTTP:PORT/,但负载均衡器一直说实例“停止服务”,尽管我似乎在该端口上的请求上收到了 200 响应。
然后我将其更改为 TCP:PORT,然后更改为“正在服务”。
是否应该为 HTTP 返回一些非常具体的内容,或者只是需要一个 HTTP 200 响应? ...它不起作用的事实是否暗示了为什么负载平衡本身也不起作用?
I'm trying to set up two instances under an elastic load balancer, but cannot figure out how I'm supposed to access the instances through the load balancer.
I've set up the instances with a security group to allow access from anywhere to certain ports. I can access the instances directly using their "Public DNS" (publicdns) host name and the port PORT:
http://[publicdns]:PORT/
The load balancer contains the two instances and they are both "In Service" and it's forwarding the port (PORT) onto the same port on the instances.
However, if I request
http://[dnsname]:PORT (where dnsname is the A Record listed for the ELB)
it doesn't connect to the instance (connection times out).
Is this not the correct way to use the load balancer, or do I need to do anything to allow access to the load balancer? The only mention of security groups in relation to the load balancer is to restrict access to the instances to the load balancer only, but I don't want that. I want to be able to access them individually as well.
I'm sure there's something simple and silly that I've forgotten, not realised or done wrong :P
Cheers,
Svend.
Extra info added:
The Port Configuration for the Load Balancer looks like this (actually 3 ports):
10060 (HTTP) forwarding to 10060 (HTTP)
Stickiness: Disabled(edit)
10061 (HTTP) forwarding to 10061 (HTTP)
Stickiness: Disabled(edit)
10062 (HTTP) forwarding to 10062 (HTTP)
Stickiness: Disabled(edit)
And it's using the standard/default elb security group (amazon-elb-sg).
The instances have two security groups. One external looking like this:
22 (SSH) 0.0.0.0/0
10060 - 10061 0.0.0.0/0
10062 0.0.0.0/0
and one internal, allowing anything within the internal group to communicate on all ports:
0 - 65535 sg-xxxxxxxx (security group ID)
Not sure it makes any difference, but the instances are m1.small types of image ami-31814f58.
Something that might have relevance:
My health check used to be HTTP:PORT/ but the load balancer kept saying that the instances were "Out of Service", even though I seem to get a 200 response on the request on that port.
I then changed it to TCP:PORT and it then changed to say they were "In Service".
Is there something very specific that should be returned for the HTTP one, or is it simply a HTTP 200 response that's required? ... and does the fact that it wasn't working hint towards why the load balancing itself wasn't working either?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
听起来您已正确设置所有内容。它们与实例进入负载均衡器的端口相同吗?或者您是否将请求转发到另一个端口?
顺便说一句,当我配置负载均衡器时,我通常不喜欢在任何端口上向公众开放我的实例。我只允许负载均衡器向这些实例发出请求。我过去注意到很多人会向实例的 IP 发出恶意请求,试图找到安全漏洞。我什至看到有人试图暴力登录我的 Windows 机器....
要仅为负载均衡器创建安全规则,请运行以下命令并删除负载均衡器所在端口的安全组中的任何其他规则使用。如果您不使用命令行来运行这些命令,那么只需让我知道您正在尝试使用哪个界面,我可以尝试提供一个适合您的示例。
回到你的问题。就像我说的,您解释的步骤是正确的,打开实例上的端口并将端口转发到实例应该就足够了。也许您需要发布实例的安全组和负载均衡器的完整配置,以便我可以查看是否有其他因素影响您的情况。
It sounds like you have everything set up correctly. Are they the same ports going into the loadbalancer as the instance? Or are you forwarding the request to another port?
As a side note, when I configure my loadbalancers I don't generally like to open up my instances on any port for the general public. I only allow the loadbalancer to make requests to those instances. I've noticed in the past that many people will make malicious requests to the IP of the instance trying to find a security breach. I've even seen people trying to brute force login into my windows machines....
To create a security rule only for the loadbalancers run the following commands and remove any other rules you have in the security-group for the port the loadbalancer is using. If you're not using the commandline to run these commands then just let me know which interface you're trying to use and i can try to come up with a sample that will work for you.
Back to your question. Like I said, the steps you explained are correct, opening the port on the instance and forwarding the port to the instance should be enough. Maybe you need to post the full configuration of your instance's security group and the loadbalancer so that I can see if there is something else affecting your situation.
我继续创建了一个脚本,它将重现我正在使用的相同步骤。这假设您使用 Linux 作为操作系统并且已安装 AWS CLI 工具。如果您还没有此设置,我建议您启动一个新的 Amazon Linux 微实例并从那里运行脚本,因为它们已经安装了所有内容。
从 amazon 下载 X.509 证书文件 https://aws-portal.amazon .com/gp/aws/securityCredentials
将证书文件复制到将运行命令的计算机
保存脚本中所需的两个变量
将证书导出为环境变量
创建安全组
为实例创建用户数据文件,以便启动apache 并创建index.html 文件
启动新实例并保存instanceid
创建负载均衡器并附加实例
I went ahead and created a script that will reproduce the same exact steps that i'm using. This assumes you're using linux as an operating system and that the AWS CLI tools are already installed. If you don't have this setup already I recommend starting a new Amazon Linux micro instance and running the script from there since they have everything already installed.
Download the X.509 certificate files from amazon https://aws-portal.amazon.com/gp/aws/securityCredentials
Copy the certificate files to the machine where you will run the commands
Save two variables that are required in the script
Export the certificates as environmental variables
Create the security groups
Create the user-data-file for the instance so that apache is started and the index.html file is created
Start the new instance and save the instanceid
Create the loadbalancer and attach the instance