我试图建立两种情况下的弹性负载均衡器,但无法弄清楚如何我应该通过负载均衡器来访问实例。
I'm trying to set up two instances under an elastic load balancer, but cannot figure out how I'm supposed to access the instances through the load balancer.
我已经设置了实例与安全组允许从任何地方访问某些端口。我可以直接用他们的公共DNS(publicdns)主机名和端口端口访问实例:
I've set up the instances with a security group to allow access from anywhere to certain ports. I can access the instances directly using their "Public DNS" (publicdns) host name and the port PORT:
HTTP:// [publicdns]:PORT /
http://[publicdns]:PORT/
负载平衡器包含两个实例和它们都是以服务和它的转发端口(PORT)上的实例相同的端口
The load balancer contains the two instances and they are both "In Service" and it's forwarding the port (PORT) onto the same port on the instances.
不过,如果我要求
HTTP:// [DNSNAME]:端口(其中DNSNAME是列出的ELB的A记录)
http://[dnsname]:PORT (where dnsname is the A Record listed for the ELB)
它不连接到该实例(连接超时)。
it doesn't connect to the instance (connection times out).
这是不使用负载均衡器的正确方法,或者说我需要做什么,以允许访问的负载均衡?相对于负载均衡,只有提起安全组是的限制的访问实例负载平衡器而已,但我不希望出现这种情况。我希望能够访问它们单独以及
Is this not the correct way to use the load balancer, or do I need to do anything to allow access to the load balancer? The only mention of security groups in relation to the load balancer is to restrict access to the instances to the load balancer only, but I don't want that. I want to be able to access them individually as well.
我敢肯定有一些简单的和愚蠢的,我已经忘记了,没有意识到或者做错了:P
I'm sure there's something simple and silly that I've forgotten, not realised or done wrong :P
干杯, 斯文。
额外的信息补充:
端口配置为负载平衡器看起来是这样的(实际上是3个):
The Port Configuration for the Load Balancer looks like this (actually 3 ports):
10060(HTTP)转发到10060(HTTP) 粘性:禁用(编辑)
10060 (HTTP) forwarding to 10060 (HTTP) Stickiness: Disabled(edit)
10061(HTTP)转发到10061(HTTP)的 粘性:禁用(编辑)
10061 (HTTP) forwarding to 10061 (HTTP) Stickiness: Disabled(edit)
10062(HTTP)转发到10062(HTTP)的 粘性:禁用(编辑)
10062 (HTTP) forwarding to 10062 (HTTP) Stickiness: Disabled(edit)
和它的使用标准/默认的ELB安全组(亚马逊ELB-SG)。
And it's using the standard/default elb security group (amazon-elb-sg).
该实例有两个安全组。一个外部看是这样的:
The instances have two security groups. One external looking like this:
22(SSH)           0.0.0.0/0 10060 - 10061 0.0.0.0/0 10062             0.0.0.0/0
22 (SSH)0.0.0.0/0 10060 - 10061 0.0.0.0/0 10062 0.0.0.0/0
和一个内部,允许内部组内任何对所有端口进行通信:
and one internal, allowing anything within the internal group to communicate on all ports:
0 - 65535 SG-XXXXXXXX(安全组ID)
0 - 65535 sg-xxxxxxxx (security group ID)
不知道这有什么差别,但实例的m1.small类型的图像AMI-31814f58的。
Not sure it makes any difference, but the instances are m1.small types of image ami-31814f58.
东西可能有相关性:
我的健康检查曾经是HTTP:PORT /但负载平衡器口口声声说的情况是不在服务区,即使我似乎得到一个200响应在该端口上的请求
My health check used to be HTTP:PORT/ but the load balancer kept saying that the instances were "Out of Service", even though I seem to get a 200 response on the request on that port.
然后,我把它改为TCP:端口,并随后改口说他们是在服务
I then changed it to TCP:PORT and it then changed to say they were "In Service".
有什么非常特殊的,应该为HTTP则返回,或者是它只是一个的需要的HTTP 200回应? ...和做一个事实,即它不工作提示对为什么负载均衡本身是不工作要么?
Is there something very specific that should be returned for the HTTP one, or is it simply a HTTP 200 response that's required? ... and does the fact that it wasn't working hint towards why the load balancing itself wasn't working either?
推荐答案
这听起来像你拥有了一切正确设置。他们是进入负载均衡器作为实例相同的端口?或者,您将请求转发到另一个端口?
It sounds like you have everything set up correctly. Are they the same ports going into the loadbalancer as the instance? Or are you forwarding the request to another port?
作为一个方面说明,当我配置我loadbalancers我一般不喜欢打开了我的情况下,任何端口上,为广大市民。我只允许负载均衡器发出请求到这些实例。我注意到,在过去,很多人会做出恶意请求到该实例的IP试图找到一个安全漏洞。我还看到有人试图蛮力登录到我的Windows机器....
As a side note, when I configure my loadbalancers I don't generally like to open up my instances on any port for the general public. I only allow the loadbalancer to make requests to those instances. I've noticed in the past that many people will make malicious requests to the IP of the instance trying to find a security breach. I've even seen people trying to brute force login into my windows machines....
要创建安全规则,只为loadbalancers运行下面的命令,并删除您的安全组的负载均衡器正在使用的端口的任何其他规则。如果你不使用命令行运行这些命令,然后只是让我知道你想使用的接口,我可以试着拿出一个样本会为你工作。
To create a security rule only for the loadbalancers run the following commands and remove any other rules you have in the security-group for the port the loadbalancer is using. If you're not using the commandline to run these commands then just let me know which interface you're trying to use and i can try to come up with a sample that will work for you.
elb-create-lb-listeners <load-balancer> --listener "protocol=http, lb-port=<port>, instance-port=<port>"
ec2-authorize <security-group> -o amazon-elb-sg -u amazon-elb
回到你的问题。就像我说的,你解释的步骤是正确的,开放的端口上的实例,并转发端口的情况下应该是足够的。也许你需要来发表您的实例的安全组和负载均衡器的完整的配置,这样我可以看到,如果有别的东西影响你的情况。
Back to your question. Like I said, the steps you explained are correct, opening the port on the instance and forwarding the port to the instance should be enough. Maybe you need to post the full configuration of your instance's security group and the loadbalancer so that I can see if there is something else affecting your situation.
相关推荐
最新文章