Amazon web services ALB健康检查目标不健康

我正在尝试使用Terraform和ALB配置ECS集群。这些目标被认为是不健康的。控制台运行状况检查失败时的错误代码为502，代码为：[502] 我查阅了AWS故障排除指南，但没有任何帮助

编辑：我没有在EC2容器上运行的服务/任务。它是一个普通的ECS集群

以下是我的ALB相关代码：

# Target Group declaration 

resource "aws_alb_target_group" "lb_target_group_somm" {
  name                 = "${var.alb_name}-default"
  port                 = 80
  protocol             = "HTTP"
  vpc_id               = "${var.vpc_id}"
  deregistration_delay = "${var.deregistration_delay}"
  health_check {
    path     = "/"
    port     = 80
    protocol = "HTTP"
  }

  lifecycle {
    create_before_destroy = true
  }

  tags = {
    Environment = "${var.environment}"
  }

  depends_on = ["aws_alb.alb"]
}

# ALB Listener with default forward rule

resource "aws_alb_listener" "https_listener" {
  load_balancer_arn = "${aws_alb.alb.id}"
  port              = "80"
  protocol          = "HTTP"

  default_action {
    target_group_arn = "${aws_alb_target_group.lb_target_group_somm.arn}"
    type             = "forward"
  }
}

# The ALB has a security group with ingress rules on TCP port 80 and egress rules to anywhere. 
# There is a security group rule for the EC2 instances that allows ingress traffic to the ECS cluster from the ALB: 

resource "aws_security_group_rule" "alb_to_ecs" {
  type                     = "ingress"
  /*from_port                = 32768 */
  from_port                = 80
  to_port                  = 65535
  protocol                 = "TCP"
  source_security_group_id = "${module.alb.alb_security_group_id}"
  security_group_id        = "${module.ecs_cluster.ecs_instance_security_group_id}"
}

是否有人遇到此错误并知道如何调试/修复此错误？

看起来http://ecsInstanceIp:80 没有返回HTTP 200 OK。我会先检查一下。检查实例是否为公共实例将很容易。大多数情况下都不是这样。否则，我将创建一个EC2实例并发出一个curl请求来确认这一点

您还可以检查容器日志，以查看其日志记录是否包含运行状况检查响应

---

希望这有帮助。祝你好运。

看起来你正在尝试向ALB目标组注册ECS群集实例。这不是通过ALB向ECS服务发送流量的方式

相反，您应该让您的服务将任务加入到目标组中。这意味着，如果您使用的是主机网络，那么只有部署了任务的实例才会被注册。如果您正在使用网桥网络，那么它会将任务使用的临时端口添加到目标组中，包括允许在单个实例上有多个目标。如果您使用的是awsvpc网络，那么它将注册服务启动的每个任务的ENI

要做到这一点，您应该使用。示例可能如下所示：

resource "aws_ecs_service" "mongo" {
  name            = "mongodb"
  cluster         = "${aws_ecs_cluster.foo.id}"
  task_definition = "${aws_ecs_task_definition.mongo.arn}"
  desired_count   = 3
  iam_role        = "${aws_iam_role.foo.arn}"

  load_balancer {
    target_group_arn = "${aws_lb_target_group.lb_target_group_somm.arn}"
    container_name   = "mongo"
    container_port   = 8080
  }
}

resource "aws_security_group_rule" "alb_to_ecs" {
  type                     = "ingress"
  from_port                = 32768 # ephemeral port range for bridge networking tasks
  to_port                  = 60999 # cat /proc/sys/net/ipv4/ip_local_port_range
  protocol                 = "TCP"
  source_security_group_id = "${module.alb.alb_security_group_id}"
  security_group_id        = "${module.ecs_cluster.ecs_instance_security_group_id}"
}

如果您使用网桥网络，这意味着任务可以在实例的临时端口范围内访问，因此您的安全组规则需要如下所示：

resource "aws_ecs_service" "mongo" {
  name            = "mongodb"
  cluster         = "${aws_ecs_cluster.foo.id}"
  task_definition = "${aws_ecs_task_definition.mongo.arn}"
  desired_count   = 3
  iam_role        = "${aws_iam_role.foo.arn}"

  load_balancer {
    target_group_arn = "${aws_lb_target_group.lb_target_group_somm.arn}"
    container_name   = "mongo"
    container_port   = 8080
  }
}

resource "aws_security_group_rule" "alb_to_ecs" {
  type                     = "ingress"
  from_port                = 32768 # ephemeral port range for bridge networking tasks
  to_port                  = 60999 # cat /proc/sys/net/ipv4/ip_local_port_range
  protocol                 = "TCP"
  source_security_group_id = "${module.alb.alb_security_group_id}"
  security_group_id        = "${module.ecs_cluster.ecs_instance_security_group_id}"
}

---

我刚刚确认，当在容器本身上运行时，实际的datadog运行状况检查正在正确运行-/opt/datadog agent/bin/agent/agent health agent health:PASS，因此坏网关错误似乎是由于ALB和EC2容器实例之间的连接，正如您指出的。我做了修改，正如你提到的，现在使用桥接模式，但同样的错误。我让它工作。我的端口不匹配，而且超时时间间隔有点短。