https://pulumi.com logo
#python
Title
# python
n

numerous-barista-36019

02/13/2021, 12:32 AM
Hi, I have some question about AWS ELB-EC2-RDS 3-tier architecture in VPC. I’m first at IaC, not good at aws, and my code should be refactored, but I need some helps and comprehensions about why my ELB(or VPC, or Web Server) is not working. https://github.com/SeongIkKim/pulumi-aws-3-tier/blob/master/__main__.py This is my code, and my ALB is not successful for health check and routing for my EC2 servers. When I get into ALB public dns, I see 502 BadGateway Error. I know that this question is quietly broad, but I can’t get it anyway. In my suspicion, there are some points. 1. ec2, LB security group. I don’t know how to attach my LB sg to ec2. (It was easy in console, but…) 2. VPC subnet is not well-structured, so My ALB is pointing some useless route..? 3. EC2 user data(simplehttp WAS setting) is not made. In 3rd, however, I can’t get logs because pulumi provises the instance without keypair. I’ve tried to get in ec2 with bastion host, but there is no public key in instance.
b

brave-angle-33257

02/13/2021, 12:56 AM
if you are an Admin on the AWS account you can probably get into the host using ssm system manager sessions
assuming the host is running a newer ubuntu or amzlinux image
you might need to add a role to the ec2, but then at least you can get onto the machine and curl locally to see if the web server is working
looking at the target group's targets should tell you if they are "healthy" or not
if not, then: • make sure webserver is online • make sure locally you can curl it • review your target group health check settings (check the path and port)
• if they aren't passing, then likely is an issue between ALB and EC2 networking or security group. usually i make the ingress on ALB be 80/443, no restriction on outbound.
another good thing is to create a "self referencing security group" and apply that to the ALB, the EC2, and the RDS, that allows them to all communicate with eachother (allow all traffic) start with that, makes it easier, I dont tend to restrict outbound traffic
also, make sure your VPC allows NACL traffic at the subnet level
even though security group allows it, doesnt mean subnet or vpc does
good luck!
👍 1
🙌 1
n

numerous-barista-36019

02/13/2021, 12:20 PM
@brave-angle-33257 really THANKS for your comments! I got the real cause of my problem, ec2 user-data script, because ubuntu 20.04 supports only python3 http.server, not python SimpleHTTPServer☹️ Now my load balancer is healthy, and I got really a little more exact view for VPC, ALB, Ports. It’s bit annoying, but interesting! You’re comment for ssm and ports really save me. Thanks to you again.
b

brave-angle-33257

02/13/2021, 3:21 PM
you're welcome!!!!