2

We run a wiki in an EC2 that sits behind an Elastic Load Balancer, the EC2 does not have a public IP and traffic from internet is routed to the ELB through Route53. We noticed that the wiki was not sending emails and while troubleshooting I realized that if I add an Elastic IP then the wiki does send emails just fine. It's maybe worth noting that the database and EC2 are part of the same VPC, region and account, but the EC2 and the Simple Email Service belong to different AWS accounts.

I checked the security group of the EC2, the ELB security group and the VPC network ACL, they all allow outbound traffic everywhere, which leaves me at a loss as to why would it not be able to connect to SES

Ideally we wouldn't need a public IP on the EC2 in order to send email.

Is there anything I should check or is there a known way to make this work?

Purefan
  • 160
  • 7

1 Answers1

2

Since you can add a Elastic IP to your EC2 instance, I am assuming it is in a public subnet. In your setup, you can not reach the internet (the SES endpoint in another region) from your EC2 instance. Your Load Balancer (in the same public subnet) however can reach your EC2 instance, which is why your site is working.

The easiest solution would be, to place your EC2 instance in your private subnet (e.g. the one where your database is). Then you can route via your NAT Gateway to the internet, and should be able to send mails via SES just fine.

A workaround would be, to assign any public IP to the instance. It does not need to be an elastic IP.

M. Glatki
  • 1,868
  • 1
  • 16
  • 33
  • 1
    but the EC2 must be in the public subnet so the ELB can reach it or did I get that wrong? We do SSL offloading at the ELB so we cannot skip it – Purefan Aug 09 '18 at 15:11
  • 2
    The EC2 instances do not need to be in the public subnet to be reached by the ELB. – Hieu Le Aug 09 '18 at 15:45
  • The AWS load balancer can route to the private subnet. In fact, thats how I would recommend to do it. – M. Glatki Aug 09 '18 at 17:09