AWS Global Accelerator in front of ALB managed with EKS alb ingress health checks fail

Question

got an EKS cluster with alb ingress controller and external DNS connected to route53, now some clients want static IPs or IP range for connecting to our servers and whitelisting these IPs in their firewall.

Tried the new AWS Global Accelerator, followed this tutorial https://docs.aws.amazon.com/global-accelerator/latest/dg/getting-started.html but it fails with :

Listeners in this accelerator have an unhealthy status. To make sure that Global Accelerator can run health checks successfully, ensure that a service is responding on the protocol and port that you specified in the health check configuration. Learn more

With further reading understood that the healthchecks will be the same configured at the ALB, also that it might fail because of the route53 Healthchecks ips are not whitelisted but all the inbound traffic is open in ports 80 and 443, so not quite sure how to further debug this or if there is any other solution for getting an ip range or static ip for the ALB.

paltaa paltaa · Accepted Answer · 2020-08-13T15:47:21

You need to add a healthcheck rule like this one to the ingress controller:

- http:
    paths:
      - path: /global-accelerator-healthcheck
        backend:
          serviceName: global-accelerator-healthcheck
          servicePort: use-annotation

Then an annotation:

    alb.ingress.kubernetes.io/actions.global-accelerator-healthcheck: '{"Type": "fixed-response", "FixedResponseConfig": {"ContentType": "text/plain", "StatusCode": "200", "MessageBody": "healthy" }}'

Then configure the global accelerator to the health checks to that endpoint

AWS Global Accelerator in front of ALB managed with EKS alb ingress health checks fail

2 Answers