0

I built this traffic route in a VPC.

Route53->ACM(SSL)->Public ALB->EC2(Nginx proxy)->Private ALB->ECS(Internal App)

The EC2's security group is allowing tcp 80 and 443. The ECS' security group is allowing 80 from EC2's security group.

When I access the domain registered in Route53, it got 504 DNS look up failed error. When access the public ALB's DNS name got 503 Service Temporarily Unavailable error.

I'm sure the ACM is setting and the public LB's DNS name is registering to the Route53 with the domain.

The ALB settings on the public subnet are doing by Terraform

resource "aws_lb_listener" "http" {
  load_balancer_arn = aws_lb.this.arn
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }
}

resource "aws_lb_listener_rule" "http_redirect" {
  listener_arn = aws_lb_listener.proxy.arn
  priority     = 1

  action {
    type = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }

  condition {
    path_pattern {
      values = ["/*"]
    }
  }
}

resource "aws_lb_listener_rule" "http_forward" {
  listener_arn = aws_lb_listener.http.arn
  priority     = 2

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.proxy.arn
  }

  condition {
    host_header {
      values = ["proxy.portsite.com"]
    }
  }
}

resource "aws_lb_listener_rule" "https_forward" {
  listener_arn = aws_lb_listener.https.arn

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.proxy.arn
  }

  condition {
    host_header {
      values = ["proxy.portsite.com"]
    }
  }
}

Are both http_redirect and http_forward necessary for the routing? Or only http_redirect is good? And, does the issue caused by it?

uotn
  • 17
  • 3
  • the last two ressources: "aws_lb_listener_rule" "https_forward" seems the same (except the prio) – exeral Oct 09 '21 at 08:24

1 Answers1

0

The redirect rule are used to force http to httpS.

To send traffic to a backend you need to use the forward action.

You can check the HTTP "Server" header to know who is sending the 503 error (either the ALB, nginx, ECS, ...)

The ECS' security group is allowing 80 from EC2's security group. : ECS security group must allow the private ALB. the private ALB security group must allow the EC2 instance

exeral
  • 1,609
  • 9
  • 19
  • Thank you for answer. The 503 error came from the public ALB's DNS name. Like `proxy-1130301830.us-east-1.elb.amazonaws.com`. The ECS sg is allowing the private ALB and the private ALB sg is allowing the IP of EC2. – uotn Oct 10 '21 at 08:50
  • I found the target group is unhealthy. I set the EC2's IP to it directly. EC2 is in the private subnet, the target group is in the public subnet's ALB. So they can't communicate? - https://imgur.com/a/7Crag5l - https://imgur.com/a/gf0hmzq – uotn Oct 10 '21 at 09:57