I'm trying to set-up a managed instance group. The instance group is to run an image in which a Node.js server is listening on port 8080.
Setting up the template and the instance group works. I can SSH into the machine. docker ps gives me the expected results. And curl localhost:8080/v1/status results in OK.
Now I tried to add a health check - and that doesn't work. It always results in a TIMEOUT. According to the logs, no request of the health check reaches the Node.js server.
The logs of the health checker are not really helpful.
I triple-checked the settings in the health check. Path and port number are corrected.
I have looked at other projects with a similar setup. The only difference I spotted is the port. Those are using port 80. However, I cannot see why this should be an issue. If the port the server listens to and the port the health checker checks on are equal - then there should be no issue. But maybe I'm missing something here.
How can I debug this further? How can I see why the health check is failing? Can I add some port mapping from 8080 to 80 anywhere?
you need to add a firewall rule for this ip ranges and add your port/instance group as a destination
Health check source ranges for gcp
35.191.0.0/16
130.211.0.0/22
for more information please have a look at this doc
https://cloud.google.com/load-balancing/docs/firewall-rules
Related
Whenever I try to redeploy my load balanced service in aws (via copilot) I keep getting health check failures (502 bad gateway) here's the error message:
(service my-app-my-env-my-service-Service-n6SienH8zSJt) (port 3000) is unhealthy in
(target-group arn:aws:elasticloadbalancing:us-east-1:[my target grouo]) due to (reason Health checks failed).
I have a cluster (ECS) with two services (one backend service working totally fine, and then one load balanced service that's causing the issues) that each run one task (Fargate). The load balanced service is a meteor/node app which is listening on port 3000.
The Elastic Load Balancer (application) is listening on port 80 and it should be forwarding traffic to a target group for the service mentioned above which should be listening on port 3000.
This target group for the load balanced service has:
Target type: IP
IP address type: IPv4
Protocol: Port -- HTTP:3000
Protocol Version: HTTP1
The targets for this group have their own IP addresses with port 3000.
target type: ip address since I use fargate and not EC2 for my tasks. So when a task is turning on, I correctly see the private IP of the task registering into the target group.
A few notes:
The server is launching correctly. I'm receiving logs that indicate a healthy server and no errors are showing up
I have a /_health route which I set up and is working locally (getting my 200 status with a curl request to localhost:3000/_health). I'm pretty convinced that NO routes are working because i changed my app to render a static page regardless of the route and still having issues connecting. This makes me think the issues lies between the load balancer and the service
Been stuck on this for a week so if anyone knows what I'm missing that would be particularly helpful! I'm happy to share more information about my cluster if that will help! Thanks in advance :)
What is the mapping of the health check route in your copilot manifest?
By default copilot configures health checks to target '/'.
I feel pretty silly about this but pretty sure I found the solution. While I configured the port: 3000 correctly on the image in the manifest.yml, I needed an additional environment variable called PORT: 3000 in the variables for the manifest. This seemed to do the trick... like I said silly mistake!
I created a Linux t3a.nano EC2 on AWS, I haven't done anything on the instance other than starting it and connect to it through SSH.
I would like to open 2 ports, port 80, and 3000, for that, I created a Security Group and added both ports to the inbound rules.
Based on AWS documentation that is all you need to do in other to open the ports, but if I connect to the instance and list the ports open none of the ports on my Security Group are listening, only 22, but that is open by default.
I am running this command to list the ports:
sudo netstat -antp | fgrep LISTEN
Other Steps I tried:
Check my ACL, will attach a picture of the configuration below, didn't change anything it looks to be fine.
Checked that the instance is using the correct security group.
Stoped and started the instance.
Created an Elastic IP and associated it to the instance to have a permanent public IP address.
Any suggestions about which steps could I am missing?
You are checking the ports from inside the instance. Security Groups (SGs) work outside of your instance.
You can imagine them as a bubble around your instance. Subsequently, the instance is not aware of their existence. This can be visualized like on the below image, where the SG is a barrier outside of the instance. Only if SG allow traffic in, then your instance can further limit it by using regular software level firewalls.
To open/block ports on the instance itself you have to use a regular a firewall such as ufw. By default all ports on the instance will be opened, at least when using Amazon Linux 2 or Ubuntu.
Therefore, with your setup, inbound traffic for pots 22, 3000 and 80 will be allowed to the instance.
Update - Response
I got to this point thanks to the comments above!
I wanted to open port 3000 to host a web service, so I did all the steps on my original question, the step that I was missing was to run a server to do something on port 3000. After I ran node I was able to see the port open internally and was able to make requests to that port.
The Security Group remains the same, but now if I list the ports this is what I get: sudo netstat -antp | fgrep LISTEN
I am able to access my app inside the ec2 instance using elinks but when I try to do from the browser it says "This site can’t be reached".
I am trying to run a node app on port 3000
my netstat
netstat
my ec2 security group inbound rules
after going through other stackoverflow tickets I figured that there are two levels of checks
EC2 security groups
EC2 instance firewall
so although I added the port 3000 on security group inbound rules still I had to puncture the instance firewall as well. Port 80 is open by default
I'm actually doing the same thing, and in order to do so, you need to give it a public IPv4 address and also run a web server from it. At least that is the conclusion I reached this morning.
Firstly, apologies if similar questions have been answered before, but the Azure configuration seems to have changes since most of the posts I have seen so far.
I have an application which I have installed on an Azure VM [Windows server 2012].
It's actually wso2 API manager, if anybody has experience of that.
The application fires up Tomcat and listens for SSL traffic on port 9443. Why it's not 443 I'm not sure.
I've set up an Inbound Security rule on my Network Security Group, as follows:
Priority : 1010
Source: Any
Service: Custom
Protocol: Any
Port Range: 9443
Action : Allow
I still have no joy accessing this from a browser though, I get the slightly confusing "This site can't be reached / the connection was reset" error.
I'd welcome any pointers to get this working or to debug!
I recently experienced nearly the same issue that you did. What worked for me:
1) I added my inbound rule prior to any other inbound rule. I noticed your rule is 1010 which means it's being applied after the default RDP rule is. No, this shouldn't make a difference, but it may.
2) When you create your inbound rule, hit the "advanced" button, choose the CIDR option and route the traffic to the internal IP address of the VM.
3) For the destination port range I chose only the port I needed. In your case 9443.
The issue for me was the internal IP address. Once I set that everything started working for me.
I develop websites with rails, and I was looking for a simple way to setup a dynamic name resolution for my app. The final product I need is to is: Every time I start a rails application (by typing rails server on my application folder, I want to run it on a random port and if I type the application name on my browser (like myapp.dev or something) it resolves to the localhost on the correct port.
The part of getting the app name and generating a random port is not the problem. The problem is how to resolve a name to a local port. Is there any simple tool on linux that allows me to do this?
Right now, the best I can think off is start a daemon that keeps track of when a rails app is started, annotate the port, and add an entry to itself in /etc/host with the app name. Then, whenever it receives a request, it forward to the correct app based on the name.
I can't believe this is the best way so ideas are highly appreciated.
I'm not sure if I understand your problem correctly, but DNS it not about ports. By using DNS you can resolve the name to IP not port or from IP to name (RevDNS). What you would do in your case is during start up of application on random port, forward another port which will be always the same.
For instance:
By iptables forward port 80 to random port of your application. Then you will always get to application by port 80.
Edit: I couldn't paste it in the comment because it's too long, so I give you answer here:
You can create a lot of iptables rules and first application will be on port 80, next 81, and so on.In browser you have to type then: apps.test.com (first app) , apps.test.com:81 (second app)..
Another solution: if you want to have diffrent domains (not type a port after colon), you can use proxy server,
and use VirtualHost to redirect to particular apps. In proxy configuration you can define that app1.test.com goes to port e.g 8888, app2.test.com goes to port 8889 and then during start up your app you can create iptables rule or ssh tunel to redirect whole traffic from port 8888 to your random port of
ruby application. To don't do it more complicated, it would be nice that these port
which you configure in proxy, are not used by your ruby application. Also you can check, iptables
"string match" option; Match Host field of HTTP request and then analogously during start up apps,
create iptables rule which will redirect everything which goes to port 80 with specify Host field to
your ruby app port. The last option would be using SRV dns record, but it's rather useless in your
situation. But anyway you can play around with all of these options, and choose one which is the best for
you.