AWS Load Balancer Security Groups

Question

I am trying to deploy some nodejs sites with an ELB and am having some problems with the security groups for both the ELB and the EC2 instances.

What I would like to do, is allow the ELB to accept port 80 requests and forward those to port 3000 on the EC2 instances and I don't want the EC2 instances to be directly accessible from the internet, they should only be accessible (on port 3000) through the loadbalancer.

So in my VPC in my public subnets I have:

• setup an ELB that forwards 80 (HTTP) to 3000 (HTTP)
  • security group that accepts traffic inbound on port 80 from 0.0.0.0/0
• an EC2 instance that runs node on port 3000
  • security group that accepts traffic inbound on port 3000 from the security group of the ELB instance

This is not working. If on the EC2 instance I allow port 3000 from 0.0.0.0/0 it works.

But then I can use the instance's public IP to go to the instance without going through the loadbalancer.

From what I understand this should be possible or am I missing something?

Thanks, Joe

Answer 1

Apart from what you have already, you need these:

setup an ELB that forwards 80 (HTTP) to 3000 (HTTP) security group that accepts traffic inbound on port 80 from 0.0.0.0/0

You also need to have outbound access on port 3000 from ELB to your private subnet where the EC2 instances are running.

This is not working. If on the EC2 instance I allow port 3000 from 0.0.0.0/0 it works.

This makes me believe that your EC2 instances are running in the Public Subnet of your VPC. It should be running in side a private subnet of VPC.

Besides, Make sure that your ELB is running in the Public Subnet of your VPC.

Answer 2

It sounds like either the LB is not in the VPC or the security group that your server is in is not in the VPC.

Attaching some images below: