I am trying to have an Internet-facing ELB load balance incoming traffic to my private subnet EC2 instances. My Load Balancing Target group reports that my EC2 instances are unhealthy even though they passed all checks on the EC2 page.
What I do not understand is that: If I do attach a Network Interface AND a public IP to my private subnet EC2 instances, then everything works. At the end of the day, my Security Groups still prevent direct external access to my instances but I do not believe public IP addresses are required because I understand load balancers to work with internal IP addresses. So what am I not understanding correctly here? Much thanks in advance.
My security/network settings are as follows:
- Route tables: /16 VPC CIDR to Local, 0.0.0.0/0 to Internet Gateway, Implicitly associated with all subnets
- NACL: (For testing purposes), Allow all to everywhere for both inbound and outbound, Associated with all subnets
- Security group of private subnet EC2 instances allow incoming traffic from Load Balancer SG only and allow all outbound traffic.
- Security group of Load Balancer allow incoming traffic from anywhere, and allow all outbound traffic.
The closest thread I could find is this:How to load balance AWS private subnet EC2 instances but I've checked through all the items without success.
