Amazon web services AWS ELB:503服务暂时不可用
我正试图按照这个示例将微服务部署到AWS ECS。这里,负载平衡器用于不同docker服务之间的联网。我已经根据自己的需要调整了cloudformation模板,并且只部署了一项服务,即Web服务器。我希望公众能够访问web界面,并添加该服务随后要与之对话的其他服务。但是,我目前很难使用负载平衡器的URL使Web服务器正常运行。如果我使用公共IP直接访问EC2实例,我就可以访问该接口。但是,如果我转到负载均衡器DNS,我会得到暂时不可用的503服务。我已经检查了,但是webservice目标组显示了一个注册的目标,即状态为健康的EC2实例。我错过了什么Amazon web services AWS ELB:503服务暂时不可用,amazon-web-services,amazon-ec2,amazon-ecs,amazon-elb,Amazon Web Services,Amazon Ec2,Amazon Ecs,Amazon Elb,我正试图按照这个示例将微服务部署到AWS ECS。这里,负载平衡器用于不同docker服务之间的联网。我已经根据自己的需要调整了cloudformation模板,并且只部署了一项服务,即Web服务器。我希望公众能够访问web界面,并添加该服务随后要与之对话的其他服务。但是,我目前很难使用负载平衡器的URL使Web服务器正常运行。如果我使用公共IP直接访问EC2实例,我就可以访问该接口。但是,如果我转到负载均衡器DNS,我会得到暂时不可用的503服务。我已经检查了,但是webservice目标组显
Parameters:
EnvironmentName:
Description: An environment name that will be prefixed to resource names
Type: String
VPC:
Type: AWS::EC2::VPC::Id
Description: Choose which VPC the Application Load Balancer should be deployed to
Subnets:
Description: Choose which subnets the Application Load Balancer should be deployed to
Type: AWS::EC2::Subnet::Id
PublicSubnet:
Description: Choose which public subnet the EC2 instance should be deployed to
Type: AWS::EC2::Subnet::Id
Resources:
LoadBalancerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: !Sub ${EnvironmentName}-loadbalancer
GroupDescription: Access to the load balancer that sits in front of ECS
VpcId: !Ref VPC
SecurityGroupIngress:
# Allow access from anywhere to our ECS services
- CidrIp: 0.0.0.0/0
IpProtocol: -1
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}-LoadBalancers
LoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: !Ref EnvironmentName
Subnets:
- !Ref Subnets
SecurityGroups:
- !Ref LoadBalancerSecurityGroup
Tags:
- Key: Name
Value: !Ref EnvironmentName
LoadBalancerListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
LoadBalancerArn: !Ref LoadBalancer
Port: 80
Protocol: HTTP
DefaultActions:
- Type: forward
TargetGroupArn: !Ref DefaultTargetGroup
DefaultTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
Name: !Sub ${EnvironmentName}-default
VpcId: !Ref VPC
Port: 80
Protocol: HTTP
ECSHostSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: !Sub ${EnvironmentName}-ecs-hosts
GroupDescription: Access to the ECS hosts and the tasks/containers that run on them
VpcId: !Ref VPC
SecurityGroupIngress:
# Only allow inbound access to ECS from the ELB
- SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup
IpProtocol: -1
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}-ECS-Hosts
ECSCluster:
Type: AWS::ECS::Cluster
Properties:
ClusterName: !Ref EnvironmentName
ECSRole:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: !Sub ${EnvironmentName}-ecs-role
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role'
- 'arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM'
- 'arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy'
ECSInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref ECSRole
EC2Webserver:
Type: AWS::EC2::Instance
Properties:
AvailabilityZone: eu-central-1a
ImageId: !Ref ECSAMI
InstanceType: !Ref InstanceType
IamInstanceProfile: !Ref ECSInstanceProfile
UserData:
Fn::Base64:
!Sub |
#!/bin/bash
# Add to cluster:
echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config
echo ECS_ENABLE_AWSLOGS_EXECUTIONROLE_OVERRIDE=true >> /etc/ecs/ecs.config
SecurityGroupIds:
- !Ref ECSHostSecurityGroup
SubnetId: !Ref PublicSubnet
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}
Service:
Type: AWS::ECS::Service
DependsOn: ListenerRule
Properties:
Cluster: !Ref Cluster
Role: !Ref ServiceRole
DesiredCount: !Ref DesiredCount
TaskDefinition: !Ref TaskDefinitionWebserver
LoadBalancers:
- ContainerName: !Sub ${EnvironmentName}-webserver
ContainerPort: 8080
TargetGroupArn: !Ref TargetGroup
TaskDefinitionWebserver:
Type: AWS::ECS::TaskDefinition
Properties:
Family: !Sub ${EnvironmentName}-webserver
ContainerDefinitions:
- Name: !Sub ${EnvironmentName}-webserver
Essential: true
Image: !Ref Image
Memory: 512
PortMappings:
- ContainerPort: 8080
HostPort: 80
TargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
Name: !Sub ${EnvironmentName}-webserver
VpcId: !Ref VPC
Port: 80
Protocol: HTTP
Matcher:
HttpCode: 200-299
HealthCheckIntervalSeconds: 30
HealthCheckPath: /health
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 10
HealthyThresholdCount: 5
ListenerRule:
Type: AWS::ElasticLoadBalancingV2::ListenerRule
Properties:
ListenerArn: !Ref LoadBalancerListener
Priority: 1
Conditions:
- Field: path-pattern
Values:
- /
Actions:
- TargetGroupArn: !Ref TargetGroup
Type: forward
ServiceRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub ecs-service-${AWS::StackName}
Path: /
AssumeRolePolicyDocument: |
{
"Statement": [{
"Effect": "Allow",
"Principal": { "Service": [ "ecs.amazonaws.com" ]},
"Action": [ "sts:AssumeRole" ]
}]
}
Policies:
- PolicyName: !Sub ecs-service-${AWS::StackName}
PolicyDocument:
{
"Version": "2012-10-17",
"Statement":
[
{
"Effect": "Allow",
"Action":
[
"ec2:AuthorizeSecurityGroupIngress",
"ec2:Describe*",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:RegisterTargets"
],
"Resource": "*"
}
]
}
Outputs:
WebsiteServiceUrl:
Description: The URL endpoint for the website service
Value: !Join ["", [!GetAtt LoadBalancer.DNSName, "/"]]
SG出口规则
看起来安全组SG没有定义出口规则。ALB和EC2
LoadBalancerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: !Sub ${EnvironmentName}-loadbalancer
GroupDescription: Access to the load balancer that sits in front of ECS
VpcId: !Ref VPC
SecurityGroupIngress:
# Allow access from anywhere to our ECS services
- CidrIp: 0.0.0.0/0
IpProtocol: -1
我相信当您在EC2控制台中查看SG的出站规则时,不会有规则。如果这是真的,那么原因可能是流量可以进入ALB的端口80,但不能从ALB流出
这是我的理论。所以请添加一个出口规则来验证
LoadBalancerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: !Sub ${EnvironmentName}-loadbalancer
GroupDescription: Access to the load balancer that sits in front of ECS
VpcId: !Ref VPC
SecurityGroupIngress:
# Allow access from anywhere to our ECS services
- CidrIp: 0.0.0.0/0
IpProtocol: -1
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0 # <--- Maybe better change to VPC CIDR or ECS/EC2 subnet CIDR rather than any IP.
但是,如果EC2实例需要安装软件包或创建出站连接,那么EC2 SG也需要出口规则
国际机械师协会
关于ECS服务的IAM角色,有预定义的AWS托管角色,所以我认为最好使用它们
由于AWS现在已经引入了服务链接角色,使用它应该会更好
在为Amazon ECS引入服务链接角色之前,您需要为您的Amazon ECS服务创建IAM角色,该角色授予Amazon ECS所需的权限。不再需要此角色,但是如果需要,可以使用此角色。有关更多信息,请参阅Amazon ECS的旧版IAM角色
SG出口规则
看起来安全组SG没有定义出口规则。ALB和EC2
LoadBalancerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: !Sub ${EnvironmentName}-loadbalancer
GroupDescription: Access to the load balancer that sits in front of ECS
VpcId: !Ref VPC
SecurityGroupIngress:
# Allow access from anywhere to our ECS services
- CidrIp: 0.0.0.0/0
IpProtocol: -1
我相信当您在EC2控制台中查看SG的出站规则时,不会有规则。如果这是真的,那么原因可能是流量可以进入ALB的端口80,但不能从ALB流出
这是我的理论。所以请添加一个出口规则来验证
LoadBalancerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: !Sub ${EnvironmentName}-loadbalancer
GroupDescription: Access to the load balancer that sits in front of ECS
VpcId: !Ref VPC
SecurityGroupIngress:
# Allow access from anywhere to our ECS services
- CidrIp: 0.0.0.0/0
IpProtocol: -1
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0 # <--- Maybe better change to VPC CIDR or ECS/EC2 subnet CIDR rather than any IP.
但是,如果EC2实例需要安装软件包或创建出站连接,那么EC2 SG也需要出口规则
国际机械师协会
关于ECS服务的IAM角色,有预定义的AWS托管角色,所以我认为最好使用它们
由于AWS现在已经引入了服务链接角色,使用它应该会更好
在为Amazon ECS引入服务链接角色之前,您需要为您的Amazon ECS服务创建IAM角色,该角色授予Amazon ECS所需的权限。不再需要此角色,但是如果需要,可以使用此角色。有关更多信息,请参阅Amazon ECS的旧版IAM角色
谢谢大家!我终于明白了,我所要做的就是在我的服务重定向到/时调整路径。因此,我只使用通配符更改了侦听器规则:
ListenerRule:
Type: AWS::ElasticLoadBalancingV2::ListenerRule
Properties:
ListenerArn: !Ref LoadBalancerListener
Priority: 1
Conditions:
- Field: path-pattern
Values:
- [/*]
Actions:
- TargetGroupArn: !Ref TargetGroup
Type: forward
谢谢大家!我终于明白了,我所要做的就是在我的服务重定向到/时调整路径。因此,我只使用通配符更改了侦听器规则:
ListenerRule:
Type: AWS::ElasticLoadBalancingV2::ListenerRule
Properties:
ListenerArn: !Ref LoadBalancerListener
Priority: 1
Conditions:
- Field: path-pattern
Values:
- [/*]
Actions:
- TargetGroupArn: !Ref TargetGroup
Type: forward
请确认在ECS控制台中,ECS服务中的tasks页签显示的是正数,只需确认ECS集群中的EC2实例数为正数即可。这只是一件小事,但最好是针对ELB类型、ALB、NLB或CLB,然后无需确保这是ALB。请确认在EC2控制台的目标组中,目标组实际显示了EC2实例ID。因为HTTP 503:Service Unavailable意味着负载平衡器的目标组没有根据注册的目标。因此,EC2实例可能还没有实际注册到ALB。有时这需要时间。是,在ECS服务中,一个任务正在运行。2.是,EC2实例id已注册为端口80上服务的目标组中的目标,状态为Healthy请确认在ECS控制台中,ECS服务中的tasks选项卡显示正数,以确保ECS群集中的EC2实例数为正数。这只是一件小事,但最好是针对ELB类型、ALB、NLB或CLB,然后无需确保这是ALB。请确认在EC2控制台的目标组中,目标组实际显示了EC2实例ID。因为HTTP 503:Service Unavailable意味着负载平衡器的目标组没有根据注册的目标。因此,EC2实例可能还没有实际注册到ALB。有时这需要时间。是,在ECS服务中,一个任务正在运行。2.是,EC2实例id已注册为端口80上服务的目标组中的目标,状态为h
EalthyTanks——用同样的例子解决了我的问题。使用YAML时需要从新值中删除[]。谢谢-这解决了我在同一示例中的问题。使用YAML时,需要从新值中删除[]。