6

Amazon's load balancers have a network security policy which swallows ICMP packets for both ping and traceroute. It is listed as security group amazon-elb/amazon-elb-sg. Personally I find these tools pretty helpful in diagnosing problems, so I'd like to be able to use them on my service. I'd rather the load balancer either responds to these requests or forwards them.

Is there any way to change the security group settings on an ELB? Or any other way to verify IP connectivity to the ELB?

Update

To be clear, I see no way in the AWS console to either set the SG on a newly created ELB, nor to change the SG on an existing ELB.

Leopd
  • 1,757
  • 4
  • 24
  • 30

2 Answers2

8

Yes, this works for Classic Load Balancers and Application Load Balancers. Go into your security group settings and permit incoming ICMP traffic on the one that is assigned to your ELB. Security groups work the same whether they're assigned to an ELB or EC2 instance.

I just tested and confirmed:

[jjbegin@bane ~]$ ping elb01-2026631704.us-east-1.elb.amazonaws.com 
PING elb01-2026631704.us-east-1.elb.amazonaws.com (107.23.23.138) 56(84) bytes of data.
64 bytes from ec2-107-23-23-138.compute-1.amazonaws.com (107.23.23.138): icmp_seq=1 ttl=51 time=36.2 ms
64 bytes from ec2-107-23-23-138.compute-1.amazonaws.com (107.23.23.138): icmp_seq=2 ttl=51 time=35.9 ms
^C
--- elb01-2026631704.us-east-1.elb.amazonaws.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1473ms
rtt min/avg/max/mdev = 35.985/36.121/36.258/0.233 ms
[jjbegin@bane ~]$

NOTE: This does not work for Network Load Balancers (NLB). They do not have security groups and all ICMP Packets except for Type 3 (Destination Unreachable) are considered "Unintended traffic" and are not forwarded to any targets. Source

Aaron Chamberlain
  • 381
  • 1
  • 3
  • 13
jamieb
  • 3,427
  • 4
  • 25
  • 36
  • My ELB has a security group which I do not own. It is owned by "amazon-elb" and I see neither an option to change the security group nor an option to set the security group when I create a new ELB. – Leopd Jan 22 '13 at 18:23
  • You must be using Elastic Beanstalk. In that case, there is no way to adjust the security group settings on the ELB's security groups. And you can't add/remove a security group unless you're using a VPC. What are you're trying to do? Monitor uptime? – jamieb Jan 22 '13 at 18:31
  • I'm not using beanstalk. I'm trying to figure out what's wrong when things go wrong. – Leopd Jan 22 '13 at 19:17
  • You don't see something like this? http://i.imgur.com/fFdqvEA.png – jamieb Jan 22 '13 at 19:22
  • I do not. http://i.imgur.com/dQDy9jr.png – Leopd Jan 22 '13 at 20:00
5

This is possible in a VPC, but not in stock EC2.

ceejayoz
  • 32,910
  • 7
  • 82
  • 106