Problem with accessing ASG in private subnet from elb

i have the 502 error in the ALB.

my vpc and routes.

resource "aws_vpc" "My_VPC" {
  cidr_block           = "${var.vpcCIDRblock}"
  instance_tenancy     = "${var.instanceTenancy}" 
  enable_dns_support   = "true" 
  enable_dns_hostnames = "true"
tags = {
    Name = "My VPC"
resource "aws_subnet" "Public_Subnet" {
  vpc_id                  = "${}"
  cidr_block              = "${var.subnetCIDRblock}"
  map_public_ip_on_launch = "true" 
  availability_zone       = "eu-central-1a"
tags= {
   Name = "My Public Subnet"

resource "aws_subnet" "Public_Subnet_elb" {
  vpc_id                  = "${}"
  cidr_block              = "${var.subnetCIDRblock4}"
  map_public_ip_on_launch = "true" 
  availability_zone       = "eu-central-1"
tags = {
   Name = "My Public Subnet ELB"

resource "aws_subnet" "Private_Subnet" {
  vpc_id                  = "${}"
  cidr_block              = ""
  map_public_ip_on_launch = "false" 
  availability_zone       = "$eu-central-1a"
tags = {
   Name = "My_Private_Subnet"

resource "aws_internet_gateway" "My_VPC_GW" {
  vpc_id = "${}"
tags = {
        Name = "My VPC Internet Gateway"

resource "aws_route_table" "eu-central-1a" {
    vpc_id = "${}"
    route {
        cidr_block = ""
        gateway_id = "${}"

    tags  = {
        Name = "Public Subnet"
resource "aws_main_route_table_association" "public" {
  vpc_id                 = "${}"
  route_table_id         = "${}"

resource "aws_route_table_association" "eu-central-1a-public" {
    subnet_id = "${}"
    route_table_id = "${}"

resource "aws_route_table_association" "elb" {
    subnet_id = "${}"
    route_table_id = "${}"
resource "aws_eip" "eip" {
  vpc        = true
  depends_on = ["aws_internet_gateway.My_VPC_GW"]
resource "aws_nat_gateway" "gateway" {
    allocation_id = "${}"
    subnet_id     = "${}"
    depends_on    = ["aws_internet_gateway.My_VPC_GW"]
output "NAT_GW_IP" {
  value = "${aws_eip.eip.public_ip}"
## Routing table

resource "aws_route_table" "private_route_table" {
    vpc_id   = "${}"
resource "aws_route" "private" {
  route_table_id         = "${}"
  destination_cidr_block = ""
  nat_gateway_id         = "${}"
# Associate subnet private_subnet to private route table
resource "aws_route_table_association" "private_subnet_association" {
    subnet_id = "${}"
    route_table_id = "${}"

each security group open for incoming traffic for port 80 443 and 22 . outbound are


resource "aws_lb" "test" {
  name               = "test-lb-tf"
  internal           = false
  load_balancer_type = "application"
  security_groups    = ["${}"]
  subnets            = ["${}","${}"]

  enable_deletion_protection = false
  depends_on = ["aws_nat_gateway.gateway"]
  access_logs {
    bucket  = "test-listener"
    prefix  = "test-lb"
    enabled = true

  tags = {
    Environment = "production"
resource "aws_lb_target_group" "test" {
  name     = "moodle-tg"
  port     = "80"
  protocol = "HTTP"
  vpc_id   =
  target_type = "instance"
  deregistration_delay = "300"
  health_check {
    path = "/"
    interval = "300"
    port = "80"
    matcher = "200"
    protocol = "HTTP"
    timeout = "10"
    healthy_threshold = "10" 
    unhealthy_threshold= "10" 
resource "aws_lb_listener" "front_end" {
  load_balancer_arn = aws_lb.test.arn
  port              = "80"
  protocol          = "HTTP"
  depends_on = ["aws_nat_gateway.gateway"]
  default_action {
    target_group_arn = "${aws_lb_target_group.test.arn}"
    type             = "forward"
resource "aws_lb_listener_rule" "asg-listener_rule" {
    listener_arn    = aws_lb_listener.front_end.arn
    priority        = 100
    depends_on = ["aws_nat_gateway.gateway"]
    condition {
      path_pattern {
        values = ["/"]
    action {
        type = "forward"
        target_group_arn = aws_lb_target_group.test.arn


resource "aws_launch_configuration" "moodle-lc" {
    name_prefix = "moodle-lc-"
    image_id = "${}"
    instance_type = "${var.instance}"
    security_groups = ["${}"]
    key_name = "moodle_agents"
    user_data = "${file("")}"
    depends_on = ["aws_nat_gateway.gateway"]
    lifecycle {
        create_before_destroy = true

resource "aws_autoscaling_group" "moodle-agents" {
    vpc_zone_identifier = ["${}"]
    name = "agents"
    max_size = "20"
    min_size = "1"
    health_check_grace_period = 300
    health_check_type = "ELB"
    desired_capacity = 2
    target_group_arns = ["${aws_lb_target_group.test.arn}"]
    force_delete = true
    launch_configuration = "${}"
    depends_on = ["aws_nat_gateway.gateway"]
    lifecycle {
        create_before_destroy = true
    tag {
        key = "Name"
        value = "Agent Instance"
        propagate_at_launch = true

user_data script just installs apache web-server and starts it

I read this article link and my code looks the same for me can someone please explain where I made a mistake.

Without nat-gateway(and ASG are in public subnet) everything works fine, but it doesn't have sense to use ALB for accessing instances that are already visible in the internet.


Your general architecture is correct, although there are still some mistakes:

  1. Incorrect AZ:
 availability_zone       = "$eu-central-1a"
  1. Again wrong AZ:
 availability_zone       = "eu-central-1"

ALB must be in two different AZs, maybe you should have "eu-central-1a" and "eu-central-1b"