3

(I am trying to understand how ELB networking works within a VPC, and post this question)

When we add two subnets to a public ELB, aws elb create-load-balancer --load-balancer-name my-load-balancer --listeners "Protocol=HTTP,LoadBalancerPort=80,InstanceProtocol=HTTP,InstancePort=80" --subnets subnet-15aaab61 subnet-198aab81, I assume I need to setup these two subnets as public subnets before running the this step -- is this understanding correct? Also, I assume the above public subnets must be configured to automatically assign public IPs to each of its instances (otherwise, DNS resolution of this ELB destination won't get a public addressable IP) -- is this understanding also correct?

Next, I have instances running in two private subnets and I register them to the ELB that were created above. I guess I need to make sure the two public subnets and the two private subnets are connected -- do I need to do extra work to make that happen? (i.e., Will the default 10.0.0.0/16 -> local rule be sufficient? I thought so, but [1] seems to say otherwise because it added a NAT rule in the context of ELB setup procedure)

Thanks for helping me understand the ELB related networking.

[1] Blog about ELB and route table

chen
  • 4,302
  • 6
  • 41
  • 70

2 Answers2

1

I assume I need to setup these two subnets as public subnets before running the this step -- is this understanding correct?

Not technically. But they will need to be set up this way before the ELB will be usable.

Also, I assume the above public subnets must be configured to automatically assign public IPs to each of its instances (otherwise, DNS resolution of this ELB destination won't get a public addressable IP) -- is this understanding also correct?

Incorrect. ELBs get their public IP addresses independently of whether the subnet is configured for automatic assignment of public IP addresses. This setting only applies to EC2 instances you create on that subnet. Not ELBs.

Next, I have instances running in two private subnets and I register them to the ELB that were created above. I guess I need to make sure the two public subnets and the two private subnets are connected -- do I need to do extra work to make that happen? (i.e., Will the default 10.0.0.0/16 -> local rule be sufficient?

Yes. All VPC subnets can always route to all other subnets in the VPC because of the local rule. You can't mess this one up, even if you try.

I thought so, but [1] seems to say otherwise because it added a NAT rule in the context of ELB setup procedure)

The NAT instance (or NAT Gateway) is referenced by the default route to allow the instances on a private subnet to initiate outbound Internet requests. It doesn't relate to traffic sent to the instances from the ELBs, or to the responses to that same traffic, which follows the "local" route -- traffic sent to the instances from a balancer has the internal source IP address of the balancer, not the address of the browser accessing the ELB.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
0

In order for your instances in the public subnets to have outbound internet connectivity they need to be behind an internet gateway. All instances that are created within that public subnet should automatically be assigned a public IP after you associate the internet gateway with the public VPC. If you want a server to have a fixed public IP you need to associate an Elastic IP with that node.

Instances within your VPC can talk to each other by default, the real restriction is your security group rules that allow or prevent ingress/egress on whatever ports you set in the security group for the VPC. So if you want the public nodes to be able to talk to the private nodes open up those ports with the security group rules.

Where you will need a NAT instance in your public subnet is if you want your private instance nodes to be able to make software updates or external calls to the internet.

You can find information about setting up the NAT instance here: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html

Cameron Kingzett
  • 1
  • 1