Amazon web services ALB健康检查目标不健康
我正在尝试使用Terraform和ALB配置ECS集群。这些目标被认为是不健康的。控制台运行状况检查失败时的错误代码为502,代码为:[502] 我查阅了AWS故障排除指南,但没有任何帮助 编辑:我没有在EC2容器上运行的服务/任务。它是一个普通的ECS集群 以下是我的ALB相关代码:Amazon web services ALB健康检查目标不健康,amazon-web-services,terraform,amazon-ecs,terraform-provider-aws,Amazon Web Services,Terraform,Amazon Ecs,Terraform Provider Aws,我正在尝试使用Terraform和ALB配置ECS集群。这些目标被认为是不健康的。控制台运行状况检查失败时的错误代码为502,代码为:[502] 我查阅了AWS故障排除指南,但没有任何帮助 编辑:我没有在EC2容器上运行的服务/任务。它是一个普通的ECS集群 以下是我的ALB相关代码: # Target Group declaration resource "aws_alb_target_group" "lb_target_group_somm" { name
# Target Group declaration
resource "aws_alb_target_group" "lb_target_group_somm" {
name = "${var.alb_name}-default"
port = 80
protocol = "HTTP"
vpc_id = "${var.vpc_id}"
deregistration_delay = "${var.deregistration_delay}"
health_check {
path = "/"
port = 80
protocol = "HTTP"
}
lifecycle {
create_before_destroy = true
}
tags = {
Environment = "${var.environment}"
}
depends_on = ["aws_alb.alb"]
}
# ALB Listener with default forward rule
resource "aws_alb_listener" "https_listener" {
load_balancer_arn = "${aws_alb.alb.id}"
port = "80"
protocol = "HTTP"
default_action {
target_group_arn = "${aws_alb_target_group.lb_target_group_somm.arn}"
type = "forward"
}
}
# The ALB has a security group with ingress rules on TCP port 80 and egress rules to anywhere.
# There is a security group rule for the EC2 instances that allows ingress traffic to the ECS cluster from the ALB:
resource "aws_security_group_rule" "alb_to_ecs" {
type = "ingress"
/*from_port = 32768 */
from_port = 80
to_port = 65535
protocol = "TCP"
source_security_group_id = "${module.alb.alb_security_group_id}"
security_group_id = "${module.ecs_cluster.ecs_instance_security_group_id}"
}
是否有人遇到此错误并知道如何调试/修复此错误?看起来http://ecsInstanceIp:80 没有返回HTTP 200 OK。我会先检查一下。检查实例是否为公共实例将很容易。大多数情况下都不是这样。否则,我将创建一个EC2实例并发出一个curl请求来确认这一点
您还可以检查容器日志,以查看其日志记录是否包含运行状况检查响应
希望这有帮助。祝你好运。看起来你正在尝试向ALB目标组注册ECS群集实例。这不是通过ALB向ECS服务发送流量的方式 相反,您应该让您的服务将任务加入到目标组中。这意味着,如果您使用的是主机网络,那么只有部署了任务的实例才会被注册。如果您正在使用网桥网络,那么它会将任务使用的临时端口添加到目标组中,包括允许在单个实例上有多个目标。如果您使用的是awsvpc网络,那么它将注册服务启动的每个任务的ENI 要做到这一点,您应该使用。示例可能如下所示:
resource "aws_ecs_service" "mongo" {
name = "mongodb"
cluster = "${aws_ecs_cluster.foo.id}"
task_definition = "${aws_ecs_task_definition.mongo.arn}"
desired_count = 3
iam_role = "${aws_iam_role.foo.arn}"
load_balancer {
target_group_arn = "${aws_lb_target_group.lb_target_group_somm.arn}"
container_name = "mongo"
container_port = 8080
}
}
resource "aws_security_group_rule" "alb_to_ecs" {
type = "ingress"
from_port = 32768 # ephemeral port range for bridge networking tasks
to_port = 60999 # cat /proc/sys/net/ipv4/ip_local_port_range
protocol = "TCP"
source_security_group_id = "${module.alb.alb_security_group_id}"
security_group_id = "${module.ecs_cluster.ecs_instance_security_group_id}"
}
如果您使用网桥网络,这意味着任务可以在实例的临时端口范围内访问,因此您的安全组规则需要如下所示:
resource "aws_ecs_service" "mongo" {
name = "mongodb"
cluster = "${aws_ecs_cluster.foo.id}"
task_definition = "${aws_ecs_task_definition.mongo.arn}"
desired_count = 3
iam_role = "${aws_iam_role.foo.arn}"
load_balancer {
target_group_arn = "${aws_lb_target_group.lb_target_group_somm.arn}"
container_name = "mongo"
container_port = 8080
}
}
resource "aws_security_group_rule" "alb_to_ecs" {
type = "ingress"
from_port = 32768 # ephemeral port range for bridge networking tasks
to_port = 60999 # cat /proc/sys/net/ipv4/ip_local_port_range
protocol = "TCP"
source_security_group_id = "${module.alb.alb_security_group_id}"
security_group_id = "${module.ecs_cluster.ecs_instance_security_group_id}"
}
我刚刚确认,当在容器本身上运行时,实际的datadog运行状况检查正在正确运行-/opt/datadog agent/bin/agent/agent health agent health:PASS,因此坏网关错误似乎是由于ALB和EC2容器实例之间的连接,正如您指出的。我做了修改,正如你提到的,现在使用桥接模式,但同样的错误。我让它工作。我的端口不匹配,而且超时时间间隔有点短。