Elastic Load Balancer pointing at Private Subnet

3
votes

I've created a internet-facing Elastic Load Balancer to point at my EC2 Instances in an VPC as I have many times before however with this one I am using a private subnet with a nat gateway to control outgoing traffic and channel it all through a whitelisted IP.

Unfortunately this loadbalancer alone is having intermittent connection problems which is causing all kinds of issues including Cloudfront reliably contacting the origin site.

This works fine with a public subnet (infact I've now swapped it straight out) but not with a private subnet.

Any thoughts would be gratefully recieved,

Chris

1
amazon-web-servicesamazon-ec2amazon-elbsubnetprivate-subnet
An Internet-facing ALB or Classic ELB cannot be placed on a private subnet. The instances behind the balancer can (and almost always should) be on private subnets, but never the ELB. Is that what you are doing? It sounds like you might have the ELB or ALB assigned to one public and one private subnet, which would make it fail about half the time.Michael - sqlbot
Sorry yes its an ALB and even when I have it pointing at two private subnets (only one of which containing servers) I get the same issue. The only way I can get it to work reliably is by pointing it at two public subnets. It is actually working its just every now and then the connection hangs for 10/20 seconds.AffinoChris

1 Answers

3
votes

The only way I can get it to work reliably is by pointing it at two public subnets.

This is by design.

Internet-facing Application Load Balancers (ALB) and Classic ELBs must be provisioned exclusively in public subnets.

This is always true, regardless of whether the instances behind the balancer are in private subnets or not.

If the balancer is placed in private subnets, the browser can't establish a connection to the balancer, because the default route of the balancer's subnet is something other than the Internet Gateway -- so the balancer's replies are misrouted and the connection times out. The timeouts become intermittent if the balancer is on a mix of public and private subnets, because some connections reach the balancer via a public subnet (and work) while others reach the balancer via a private subnet (and don't).

The balancer does not need to be on any private subnets, because the VPC route table always contains an implicit route that allows all subnets within the VPC to reach all other subnets, subject only to security group and Network ACL rules. There is no performance disadvantage to having the balancer in entirely different subnets than the instances.