Terraform 负载均衡器运行状况检查例如在 asg 中失败

Question

我在 asg 中启动了一个私有实例 在公共场合，我创建了一个应用程序负载均衡器来连接到私有实例 问题：目标组显示为 asg 实例的健康检查失败 问题：如何解决此问题并使健康检查通过 请支持我解决这个问题。 因为使用浏览器访问时会发生超时

**alb.tf**
resource "aws_lb" "ops_manager_app_lb" {
 name            = "ops-manager-app-lb"
 internal        = false
 security_groups = [ aws_security_group.ops_lb_sg.id ]
 subnets         = [ var.PUB_SUBNET_NAT, var.PUB_SUBNET_2 ]
}

resource "aws_lb_target_group" "opsmanager_target_group_8080" {
  depends_on = [ aws_lb.ops_manager_app_lb ]
  name       = "opsmanager-target-group-8080"
  port       = 8080
  protocol   = "HTTP"
  vpc_id     = var.AWS_VPC

  health_check {
    path                = "/"
    port                = 8080
    protocol            = "HTTP"
    healthy_threshold   = 3
    unhealthy_threshold = 3
    matcher             = "200-499"
  }
}

resource "aws_lb_listener" "ops_alb_listener_8080" {
  load_balancer_arn = aws_lb.ops_manager_app_lb.arn
  port              = "8080"
  protocol          = "HTTP"
  #certificate_arn   = "${var.elk_cert_arn}"

  default_action {
    target_group_arn = aws_lb_target_group.opsmanager_target_group_8080.arn
    type             = "forward"
  }
}

**sg.tf**
resource "aws_security_group" "ops_lb_sg" {
  name = "opsmanager_app_lb"
  description = "Security Group for OpsManager ALB"
  vpc_id      = var.AWS_VPC

  ingress {
    from_port = 8080
    to_port = 8080
    protocol = "tcp"
    cidr_blocks = [ var.VPC_CIDR ]
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }  

}

### OpsManager Application Server Security Group ###
resource "aws_security_group" "application_opsmanager_sg" {
  name        = "application_opsmanager_sg"
  description = "Security Group for OpsManager Application Instance"
  vpc_id      = var.AWS_VPC

  ingress {
    description = "TCP port for HTTP service"
    from_port   = 8080
    to_port     = 8080
    protocol    = "tcp"
    security_groups = [ aws_security_group.ops_lb_sg.id ]
    #cidr_blocks = [var.VPC_CIDR]
  }
}

**main.tf**
resource "aws_launch_configuration" "lc_opsmanager" {
  name                 = "ops_manager_launch"
  image_id             = var.AMIS
  instance_type        = var.INSTANCE_TYPE["OPS_APP"]
  iam_instance_profile = data.aws_iam_instance_profile.application_instance_profile.name
  key_name             = var.KEY_NAME
  security_groups      = [data.aws_security_group.application_sg.id, aws_security_group.ops_lb_sg.id ]
}

resource "aws_autoscaling_group" "asg_opsmanager" {
  name             = "asg-ops-manager"
  max_size         = 2
  min_size         = 1
  desired_capacity = 1
  #availability_zones        = [ data.aws_availability_zone.az_primary.name ]
  vpc_zone_identifier       = [var.PRIV_SUBNET_OPS]
  health_check_type         = "EC2"
  health_check_grace_period = 300
  launch_configuration      = aws_launch_configuration.lc_opsmanager.id
  target_group_arns = [ aws_lb_target_group.opsmanager_target_group_8080.arn ]

  tag {
    key                 = "Name"
    value               = "ops_manager_application"
    propagate_at_launch = true
  }
}

Answer 1

您的架构可能存在许多问题， 但一个明确负责的人 阻止对 ALB 的访问是不正确的 安全组。

也就是说，ALB 使用 ops_lb_sg，而 不允许 互联网流量。相反，它只允许来自 var.VPC_CIDR。要允许互联网连接，它应该是：

 cidr_blocks = [ "0.0.0.0/0" ]

或您的家庭/工作网络的 CIDR 范围。