时间戳

首页 > 解决方案 > 在 terraform 中配置内部网络负载均衡器

amazon-web-services - 在 terraform 中配置内部网络负载均衡器

问题描述

我有一个外部网络负载均衡器(监听端口 80),它将流量转发到 ServiceA 实例(端口 9000)。我想配置一个内部网络负载均衡器,它将从 ServiceA 实例获取请求并将它们转发到 ServiceB 实例。但是,我在 terrafrom 中配置内部 NLB 时遇到问题。这是我目前所拥有的:

resource "aws_security_group" "allow-all-traffic-for-internal-nlb" {
  name = "int-nlb"
  description = "Allow inbound and outbound traffic for internal NLB"
  vpc_id = "${aws_vpc.default.id}"
  ingress {
    from_port = 81
    protocol = "tcp"
    to_port = 81
    cidr_blocks = ["10.61.110.0/24"]
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_lb" "serviceB_lb" {
  name = "serviceB-internal-lb"
  internal = true
  load_balancer_type = "network"
  subnets = ["${aws_subnet.sub.id}"]
}

resource "aws_lb_listener" "serviceB-internal-lb-listener" {
  load_balancer_arn = "${aws_lb.serviceB_lb.arn}"
  port = 81
  protocol = "TCP"

  default_action {
    target_group_arn = "${aws_lb_target_group.serviceB-internal-lb-tg.arn}"
    type = "forward"
  }
}

#create a target group for the load balancer and set up a health check
resource "aws_lb_target_group" "serviceB-internal-lb-tg" {
  name     = "serviceB-int-lb-tg"
  port = 81
  protocol = "TCP"
  vpc_id = "${aws_vpc.default.id}"
  target_type = "instance"

  health_check {
    protocol = "HTTP"
    port = "8181"
    path = "/"
  }
}

#attach a load balancer to the target group
resource "aws_lb_target_group_attachment" "attach-serviceB-tg-to-internal-nlb" {
  target_group_arn = "${aws_lb_target_group.serviceB-internal-lb-tg.arn}"
  port = 8181
  target_id = "${aws_instance.serviceB-1a.id}"
}

# Create Security Groups
resource "aws_security_group_rule" "serviceB_from_serviceB-lb" {
  type                     = "ingress"
  from_port                = 81
  to_port                  = 81
  protocol                 = "tcp"
  source_security_group_id = "${aws_security_group.allow-all-traffic-for-internal-nlb.id}"
  security_group_id        = "${aws_security_group.serviceB-sg.id}"
}

resource "aws_security_group_rule" "serviceB_nlb_to_serviceB" {
  type                     = "egress"
  from_port                = 81
  to_port                  = 81
  protocol                 = "tcp"
  source_security_group_id = "${aws_security_group.serviceB-sg.id}"
  security_group_id        = "${aws_security_group.allow-all-traffic-for-internal-nlb.id}"
}
####
resource "aws_security_group" "serviceB-sg" {
  name = "${var.environment}-serviceB-sg"
  description = "${var.environment} serviceB security group"
  vpc_id = "${aws_vpc.default.id}"
  ingress {
    from_port = 8181
    to_port = 8181
    protocol = "tcp"
    cidr_blocks = ["10.61.110.0/24"]
  }
}

内部负载均衡器在端口 81 上侦听,ServiceB 实例在端口 8181 上运行。外部和内部 NLB 以及两个服务位于一个子网中。当我检查内部负载均衡器目标组的健康状态时,我得到一个健康检查失败。什么会导致这种情况发生?

标签: amazon-web-servicesnetworkingamazon-ec2load-balancingnlb

解决方案

推荐阅读