2

This is a follow up to my previous question. I'm successfully able to access the public IP over fargate. However, after trying to attach Application load balancer, I cannot access application over public DNS. The registered target always show unhealthy status with 502 error.

Sharing my configuration settings-

VPC VPC Route Table Public Subnet Route Table Public Subnet Route Table public subnet config Route Table public subnet config Route Table private subnet Route Table private subnet Route Table private subnet config Route Table private subnet config ACL subnet associations ACL subnet associations ACL inbound rules ACL inbound rules ACL outbound rules ACL outbound rules security inbound rules security inbound rules security outbound rules security outbound rules internet gateway internet gateway nat gateway nat gateway target group target group target group health status target group health status task details task details service service ALB settings ALB ALB listeners ALB listeners Target group with 8081 port Target group with 8081 port

Caffeine Coder
  • 948
  • 14
  • 17
  • What does the target group for the ALB and the task look like? – Chris Williams Aug 20 '20 at 09:37
  • @ChrisWilliams I have attached the screenshot for ALB target group and task details. – Caffeine Coder Aug 20 '20 at 09:43
  • OK, and the security groups for both? – Chris Williams Aug 20 '20 at 09:48
  • Please refresh the page, I just added the image tags. Security outbound and inbound rules have been attached. – Caffeine Coder Aug 20 '20 at 09:53
  • I can only see one security group, does your ALB and Task both share the same security group? – Chris Williams Aug 20 '20 at 09:58
  • yes the default security group! – Caffeine Coder Aug 20 '20 at 10:13
  • Can you check your target groups. Your containers run on port 8081, but it seems your target group and health checks are set for port 80. – Marcin Aug 20 '20 at 13:03
  • Also make sure that your health check endpoint does not return a redirect code (302) instead of 200, or any other code than 200. Otherwise, will have to modify health checks. – Marcin Aug 20 '20 at 13:23
  • 1
    @Marcin, good catch! I changed the target group port to 8081 and also created a new security group with new inbound and outbound rules. I can ping successfully my load balancer DNS name. But the ip address (private ip of the subnet of my vpc) under registered target group still shows unhealthy but with Request timed out status! I overided the health checkpoint port also to 8081 and the status code to return is set 200 by default! I have added a recent screenshot with new target group setting in the question! – Caffeine Coder Aug 20 '20 at 13:26
  • Tasks are still publicly accessible? If you use public IP of your task, without using ALB, the application works? – Marcin Aug 20 '20 at 13:34
  • no! when I'm using public ip of my task (reference: task details screenshot) and browse public_ip:8081/my_restendpoint, I cannot access it! – Caffeine Coder Aug 20 '20 at 13:38
  • Your HC timeout is 5 seconds. Maybe your container requires more time to respond? – Marcin Aug 20 '20 at 13:38
  • 1
    Double check the public ip access. If the tasks get killed all the time due to failing HCs in a loop, you might have tried accessing it when it was already dead or dying. So first verify that the contains work without ALB, then can trouble shoot the request timeout. Maybe containers are too slow, or don't respond correctly to HCs pings. – Marcin Aug 20 '20 at 13:42
  • Sadly, I have to finish for now. Please let me know how it will go and I will check later. – Marcin Aug 20 '20 at 13:43
  • @Marcin I changed the target group settings , updated interval to 130 seconds, timeout to 120 seconds, healthy threshold to 5, unhealthy threshold to 2! Now the health check for registered target return 504 status! – Caffeine Coder Aug 20 '20 at 13:51
  • Something must be happening with the containers, I think. Can you verify they are working? Maybe have to use different endpoint for the HC? – Marcin Aug 20 '20 at 22:13
  • 1
    @Marcin it works now after updating interval time! Bit strange, as it took couple of hours to reflect the changes! Would be curious to know the cause! – Caffeine Coder Aug 21 '20 at 11:39
  • Don't know. Indeed strange. If you don't mind I can provide answer for now? – Marcin Aug 21 '20 at 11:41
  • 1
    @Marcin yes please! – Caffeine Coder Aug 21 '20 at 11:57

1 Answers1

2

Based on the comments.

There were two issues identified:

  1. Incorrect port on the target group. It was 80 instead of 8081.
  2. Healthy threshold timeout was too short (5 seconds). Increasing it seemed to solved the issue.
Marcin
  • 215,873
  • 14
  • 235
  • 294