Home / server / Questions / 873367
Accepted
Silly Dude
Asked: 2017-09-13 16:28:43 +0800 CST

AWS: web servers behind ELB stop working after I remove their public IP

  • 772

I have two windows Serer 2016 web servers in the public subnets:

  1. Each web server have their own public IP addresses.
  2. Each web server has self-signed SSL certificate, has both HTTP and HTTPS bindings, and redirecting HTTP to HTTPS.
  3. They are in a Target Group. There is an Application Load Balancer using that Target Group.

I could request the pages from the web servers directly or from the ELBs. Response is instant. All good.

Once I removed the public IP addresses from the web servers, the response from the ELB becomes very unreliable. It times out every now and then with error 504 Gateway Timeout. But sometimes it does work.

Why?

amazon-web-services

2 Answers

  1. Best Answer

    A cheaper solution than a NAT gateway is an S3 Endpoint. From that page

    The source IPv4 addresses from instances in your affected subnets as received by Amazon S3 will change from public IPv4 addresses to the private IPv4 addresses from your VPC. An endpoint switches network routes, and disconnects open TCP connections. Your tasks will be interrupted during the changeover, and any previous connections using public IPv4 addresses will not be resumed.

    This means you don't have to pay for a NAT gateway, just traffic to S3. Note that

    Endpoints currently do not support cross-region requests

    • 1

  2. With the help of Mike, Ben and Appleoddity I finally figured out. The web servers does need traffic to outside because they are access AWS S3. They stop functioning as soon as their public IPs are removed, because they need it to connect to the Internet. The proper implementation that maximums the security is to place the web servers in the private subnets, and add a NAT gateway to each corresponding public subnet, and add a route in the route table to route traffic to 0.0.0.0/0 to the NAT gateway.

    • 0