How to set a public LB route to a proxy on AWS?

uotn

2/9/23, 4:03 AM

I built this traffic route in a VPC.

Route53->ACM(SSL)->Public ALB->EC2(Nginx proxy)->Private ALB->ECS(Internal App)

The EC2's security group is allowing tcp 80 and 443. The ECS' security group is allowing 80 from EC2's security group.

When I access the domain registered in Route53, it got 504 DNS look up failed error. When access the public ALB's DNS name got 503 Service Temporarily Unavailable error.

I'm sure the ACM is setting and the public LB's DNS name is registering to the Route53 with the domain.

The ALB settings on the public subnet are doing by Terraform

resource "aws_lb_listener" "http" {
  load_balancer_arn = aws_lb.this.arn
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }
}

resource "aws_lb_listener_rule" "http_redirect" {
  listener_arn = aws_lb_listener.proxy.arn
  priority     = 1

  action {
    type = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }

  condition {
    path_pattern {
      values = ["/*"]
    }
  }
}

resource "aws_lb_listener_rule" "http_forward" {
  listener_arn = aws_lb_listener.http.arn
  priority     = 2

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.proxy.arn
  }

  condition {
    host_header {
      values = ["proxy.portsite.com"]
    }
  }
}

resource "aws_lb_listener_rule" "https_forward" {
  listener_arn = aws_lb_listener.https.arn

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.proxy.arn
  }

  condition {
    host_header {
      values = ["proxy.portsite.com"]
    }
  }
}

Are both http_redirect and http_forward necessary for the routing? Or only http_redirect is good? And, does the issue caused by it?

0 + 0

ssl

route

amazon-vpc

amazon-alb

exeral

2/9/23, 8:24 AM

the last two ressources: "aws_lb_listener_rule" "https_forward" seems the same (except the prio)

Score:0

Server

exeral

2/9/23, 8:23 AM

The redirect rule are used to force http to httpS.

To send traffic to a backend you need to use the forward action.

You can check the HTTP "Server" header to know who is sending the 503 error (either the ALB, nginx, ECS, ...)

The ECS' security group is allowing 80 from EC2's security group. : ECS security group must allow the private ALB. the private ALB security group must allow the EC2 instance

0 + 0

uotn

2/10/23, 8:50 AM

Thank you for answer. The 503 error came from the public ALB's DNS name. Like `proxy-1130301830.us-east-1.elb.amazonaws.com`. The ECS sg is allowing the private ALB and the private ALB sg is allowing the IP of EC2.

uotn

2/10/23, 9:57 AM

I found the target group is unhealthy. I set the EC2's IP to it directly. EC2 is in the private subnet, the target group is in the public subnet's ALB. So they can't communicate? - https://imgur.com/a/7Crag5l - https://imgur.com/a/gf0hmzq

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to set a public LB route to a proxy on AWS?

TH: จะตั้งค่าเส้นทาง LB สาธารณะเป็นพร็อกซีบน AWS ได้อย่างไร

RO: Cum să setați o rută publică LB către un proxy pe AWS?

RU: Как установить общедоступный маршрут LB к прокси на AWS?

VI: Làm cách nào để đặt tuyến LB công khai thành proxy trên AWS?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.