1

I am attempting to setup MWAA in AWS and the UI web server needs to be inside a private subnet. Based on documentation the way to setup access to the web server VPC endpoints requires using a VPN/Bastion/Load Balancer and I would ideally like to use the load balancer to grant users access.

I am able to see the VPC endpoint created and it is associated to an IP in each subnet (two subnets total) that were chosen during the initial environment setup.

Target groups were setup to these IP addresses with HTTPS:443.

An internal ALB was created with the target groups above.

The UI is presented in the MWAA console as a pop-out link. When accessing that I am sent sent to a page that says The site can't be reached and the URL has a syntax similar to

https://####-vpce.c71.us-east-1.airflow.amazonaws.com/aws_mwaa/aws-console-sso?login=true<MWAA_WEB_TOKEN>

If I replace the beginning of the URL with below I am able to get to the proper MWAA webpage but there are some HTTPS certificate issues which I can figure out later but this seems to be the proper landing page I need to reach.

https://<INTERNAL_ALB_A_RECORD>/aws_mwaa/aws-console-sso?login=true<MWAA_WEB_TOKEN>

If I access just the internal ALB A record in my browser

https://<INTERNAL_ALB_A_RECORD>

I get redirected to a login page for MWAA, click the login button, then I get re-directed to the below which has the This site can't be reached page.

https://####-vpce.c71.us-east-1.airflow.amazonaws.com/aws_mwaa/aws-console-sso?login=true<MWAA_WEB_TOKEN>

I am not sure exactly where the issue is but it seems to be that I am not being re-directed to where I need to go.

Should I try a NLB pointing to the ALB as a target group? Additionally when accessing an internal ALB I read that you need access to the VPC. What does this mean exactly?

rk92
  • 551
  • 4
  • 21

1 Answers1

1

Still unsure of what the root cause is for the re-direction not taking place.

Our networking does not need an ALB or NLB in this scenario since we have a DirectConnect setup established which allows us to resolve VPC endpoints if we are on our corporate VPN. I still do end up at a page with an error message regarding This site can't be reached and to get to the proper landing page I just have to hit Enter again in my browser's URL search bar.

If anyone else comes across this make sure that you have the login token appended to the end of your URL entry before hitting enter again.

I have a case open with AWS on this so I will update if they are able to figure out the root cause.

rk92
  • 551
  • 4
  • 21
  • Hi, did AWS figure out the root cause in the end? I'm facing the same issue haha – Ben L Aug 21 '22 at 23:38
  • @BenL It's been a while since I've spoken with AWS on this, it still persists on my end. In your browser search bar do you see `login=true` with a token added at the end? If so just click into your search bar and hit enter again so that the request to the homepage is sent with the token included. I am not sure why this happens for now. – rk92 Aug 22 '22 at 14:03
  • Any update on this, I stumbled into this yesterday! – Sandeep May 18 '23 at 19:26
  • @Sandeep Sorry but I never got a resolution to this error yet. Could be something related to a corporate firewall but that's just an assumption. – rk92 Jul 30 '23 at 23:51