0

I can't get an elastic beanstalk app with a public ELB but private EC2 instances to work.

I created a basic eb config with eb init. This results in the following config:

branch-defaults:
  default:
    environment: test3
    group_suffix: null
global:
  application_name: test
  branch: null
  default_ec2_keyname: null
  default_platform: Node.js
  default_region: us-east-1
  include_git_submodules: true
  instance_profile: null
  platform_name: null
  platform_version: null
  profile: null
  repository: null
  sc: null
  workspace_type: Application

I use the default VPC, but with 2 custom public subnets (to prevent peering CIDR conflicts with another account and an external DB).

I now try to deploy the eb app with the following options:

# powershell
eb create --profile dev `
          --sample `
          --vpc.id vpc-123abc 
          --vpc.ec2subnets "subnet-123,subnet-456" `
          --vpc.elbsubnets "subnet-123,subnet-456" `
          -sr arn:aws:iam::<account>:role/service-role/aws-elasticbeanstalk-service-role `
          --vpc.elbpublic `
          test8

This does not work. The initial instance never passes health checks and the creation of the EB environment is considered a failure after 15 minutes or so. It is never accessible from the internet.

HOWEVER, adding the option --vpc.publicip makes this work! -- I can access the webpage just fine from the internet using the EB environment address. But I shouldn't need public ips on each instance. So what am I missing?

I ran both these commands with different environment names and compared their security groups, ELB settings, etc. I can't find any differences. Why do these instances need public IPs to pass health checks and connect to the ELB?

Improve this question
3
  • 1
    Is a NAT gateway setup in your VPC with routes from the private subnets? This allows instances in the private subnets to communicate with the internet and pull updates or other resources. You can place the NAT Gateway in the public subnet and route private subnet traffic there. Please note, the NAT Gateway does have an additional charge. This applies only if it's required for your setup, of course.
    – PeskyPotato
    Commented Apr 10 at 3:48
  • There are no private subnets involved. As you can see from the config, the ELB and EC2 settings both use the same subnets. Can't I put the instances in a public subnet without public IPs? Or is that not allowed? I thought a public subnet made it more "optional" to expose them directly to the public net but not a requirement. Is this not true?
    – Ben Zuill-Smith
    Commented Apr 10 at 4:02
  • 1
    Sorry missed that detail, even if they are both located within the same public subnet, the EC2 instances will not be able to communicate externally for updates through the Internet Gateway unless there's a NAT Gateway route available if they only have a private IP. This could be why they fail health checks, as they application or configuration might require something external, but just something I would keep in mind when troubleshooting in case it's an issue.
    – PeskyPotato
    Commented Apr 10 at 8:35

1 Answer 1

Reset to default
0

You currently have the instances deployed to public subnets, without public IP addresses assigned, so the instances have no access to the Internet. For an EC2 instance to have access to the Internet one of the following scenarios must be met:

  • Deployed to a public subnet (subnet with a route to an Internet Gateway) and public IP address assigned to the EC2 instance.
  • Deployed to a private subnet (subnet with a route to a NAT Gateway).

Elastic Beanstalk instances need to communicate with the Elastic Beanstalk service API. They can't do that without either Internet access, or endpoints configured in the VPC.

Even if you configure those endpoints in your VPC so that the instances can communicate with the AWS services they need to talk to, the servers may still fail to start up if you have them configured to download anything from the Internet like application dependencies or OS updates, in which case you would need to configure them with Internet access.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.