AWS EC2 Internet access from behind Load Balancer

Question

Using Terraform to setup a VPC with two EC2s in private subnets. The setup needs to SSH to the EC2s to install package updates from the Internet and install the application software. To do this there is an IGW and a NAT-GW in a public subnet. Both EC2s can access the Internet at this point as both private subnets are routing to the NAT-GW. Terraform and SSH to the private subnets is done via Client VPN.

One of the EC2s is going to host a web service so a Classic mode Load Balancer is added and configured to target the web server EC2. Using Classic mode because I can't find a way to make Terraform build Application mode LBs. The Load Balancer requires the instance to be using a subnet that routes to the IGW, so it is changed from routing to the NAT-GW, to the IGW. At this point, the Load Balancer comes online with the EC2 responding and public Internet can access the web service using the DNS supplied End Point for the LB.

But now the web server EC2 can no longer access the Internet itself. I can't curl google.com or get package updates.

I would like to find a way to let the EC2 access the Internet from behind the LB and not use CloudFront at this time.

I would like to keep the EC2 in a private subnet because a public subnet causes the EC2 to have a public IP address, and I don't want that.

Looking for a way to make LB work without switching subnets, as that would make the EC web service unavailable when doing updates.

Not wanting any iptables or firewalld tricks. I would really like an AWS solution that is disto agnostic.

Answer 1

A few points/clarifications about the problems you're facing:

• Instances on a public subnet do not need a NAT Gateway. They can initiate outbound requests to the internet via IGW. NGW is for allowing outbound IPv4 connections from instances in private subnets.
• The load balancer itself needs to be on a public subnet. The instances that the LB will route to do not. They can be in the same subnet or different subnets, public or private, as long as traffic is allowed through security groups.
• You can create instances without a public IP, on a public subnet. However, they won't be able to receive or send traffic to the internet.
• Terraform supports ALBs. The resource is aws_lb with load_balancer_type set to "application" (this is the default option).

That said, the public-private configuration you want is entirely possible.

1. Your ALB and NAT Gateway need to be on the public subnet, and EC2 instances on the private subnet.
2. The private subnet's route table needs to have a route to the NGW, to facilitate outbound connections.
3. EC2 instances' security group needs to allow traffic from the ALB's security group.

It sounds like you got steps 1 and 2 working, so the connection from ALB to EC2 is what you have to work on. See the documentation page here as well - https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html