从elb访问内网ASG时出现问题

Question

我在ALB中有502错误。

我的vpc和路由。

resource "aws_vpc" "My_VPC" {
  cidr_block           = "${var.vpcCIDRblock}"
  instance_tenancy     = "${var.instanceTenancy}" 
  enable_dns_support   = "true" 
  enable_dns_hostnames = "true"
tags = {
    Name = "My VPC"
  }
}
resource "aws_subnet" "Public_Subnet" {
  vpc_id                  = "${aws_vpc.My_VPC.id}"
  cidr_block              = "${var.subnetCIDRblock}"
  map_public_ip_on_launch = "true" 
  availability_zone       = "eu-central-1a"
tags= {
   Name = "My Public Subnet"
  }
} 

resource "aws_subnet" "Public_Subnet_elb" {
  vpc_id                  = "${aws_vpc.My_VPC.id}"
  cidr_block              = "${var.subnetCIDRblock4}"
  map_public_ip_on_launch = "true" 
  availability_zone       = "eu-central-1"
tags = {
   Name = "My Public Subnet ELB"
  }
} 

resource "aws_subnet" "Private_Subnet" {
  vpc_id                  = "${aws_vpc.My_VPC.id}"
  cidr_block              = "172.16.2.0/24"
  map_public_ip_on_launch = "false" 
  availability_zone       = "$eu-central-1a"
tags = {
   Name = "My_Private_Subnet"
  }
}

resource "aws_internet_gateway" "My_VPC_GW" {
  vpc_id = "${aws_vpc.My_VPC.id}"
  
tags = {
        Name = "My VPC Internet Gateway"
    }
}

resource "aws_route_table" "eu-central-1a" {
    vpc_id = "${aws_vpc.My_VPC.id}"
    route {
        cidr_block = "0.0.0.0/0"
        gateway_id = "${aws_internet_gateway.My_VPC_GW.id}"
    }

    tags  = {
        Name = "Public Subnet"
    }
}
resource "aws_main_route_table_association" "public" {
  vpc_id                 = "${aws_vpc.My_VPC.id}"
  route_table_id         = "${aws_route_table.eu-central-1a.id}"
}

resource "aws_route_table_association" "eu-central-1a-public" {
    subnet_id = "${aws_subnet.Public_Subnet.id}"
    route_table_id = "${aws_route_table.eu-central-1a.id}"
}

resource "aws_route_table_association" "elb" {
    subnet_id = "${aws_subnet.Public_Subnet_elb.id}"
    route_table_id = "${aws_route_table.eu-central-1a.id}"
}
resource "aws_eip" "eip" {
  vpc        = true
  depends_on = ["aws_internet_gateway.My_VPC_GW"]
}
resource "aws_nat_gateway" "gateway" {
    allocation_id = "${aws_eip.eip.id}"
    subnet_id     = "${aws_subnet.Public_Subnet.id}"
    depends_on    = ["aws_internet_gateway.My_VPC_GW"]
}
output "NAT_GW_IP" {
  value = "${aws_eip.eip.public_ip}"
}
## Routing table

resource "aws_route_table" "private_route_table" {
    vpc_id   = "${aws_vpc.My_VPC.id}"
}
resource "aws_route" "private" {
  route_table_id         = "${aws_route_table.private_route_table.id}"
  destination_cidr_block = "0.0.0.0/0"
  nat_gateway_id         = "${aws_nat_gateway.gateway.id}"
}
# Associate subnet private_subnet to private route table
resource "aws_route_table_association" "private_subnet_association" {
    subnet_id = "${aws_subnet.Private_Subnet.id}"
    route_table_id = "${aws_route_table.private_route_table.id}"
}

每个安全组对端口80、443和22的传入流量开放。出站为0.0.0.0

ELB

resource "aws_lb" "test" {
  name               = "test-lb-tf"
  internal           = false
  load_balancer_type = "application"
  security_groups    = ["${aws_security_group.elb-security.id}"]
  subnets            = ["${aws_subnet.Public_Subnet_elb.id}","${aws_subnet.Public_Subnet.id}"]

  enable_deletion_protection = false
  depends_on = ["aws_nat_gateway.gateway"]
  access_logs {
    bucket  = "test-listener"
    prefix  = "test-lb"
    enabled = true
  }

  tags = {
    Environment = "production"
  }
}
resource "aws_lb_target_group" "test" {
  name     = "moodle-tg"
  port     = "80"
  protocol = "HTTP"
  vpc_id   = aws_vpc.My_VPC.id
  target_type = "instance"
  deregistration_delay = "300"
  health_check {
    path = "/"
    interval = "300"
    port = "80"
    matcher = "200"
    protocol = "HTTP"
    timeout = "10"
    healthy_threshold = "10" 
    unhealthy_threshold= "10" 
  }
}
resource "aws_lb_listener" "front_end" {
  load_balancer_arn = aws_lb.test.arn
  port              = "80"
  protocol          = "HTTP"
  depends_on = ["aws_nat_gateway.gateway"]
  default_action {
    target_group_arn = "${aws_lb_target_group.test.arn}"
    type             = "forward"
  }
}
resource "aws_lb_listener_rule" "asg-listener_rule" {
    listener_arn    = aws_lb_listener.front_end.arn
    priority        = 100
    depends_on = ["aws_nat_gateway.gateway"]
    condition {
      path_pattern {
        values = ["/"]
      }
    }
    
    action {
        type = "forward"
        target_group_arn = aws_lb_target_group.test.arn
    }
}

ASG

resource "aws_launch_configuration" "moodle-lc" {
    name_prefix = "moodle-lc-"
    image_id = "${data.aws_ami.centos.id}"
    instance_type = "${var.instance}"
    security_groups = ["${aws_security_group.web_ubuntu1.id}"]
    key_name = "moodle_agents"
    user_data = "${file("init-agent-instance.sh")}"
    depends_on = ["aws_nat_gateway.gateway"]
    lifecycle {
        create_before_destroy = true
    }
}

resource "aws_autoscaling_group" "moodle-agents" {
    vpc_zone_identifier = ["${aws_subnet.Private_Subnet.id}"]
    name = "agents"
    max_size = "20"
    min_size = "1"
    health_check_grace_period = 300
    health_check_type = "ELB"
    desired_capacity = 2
    target_group_arns = ["${aws_lb_target_group.test.arn}"]
    force_delete = true
    launch_configuration = "${aws_launch_configuration.moodle-lc.name}"
    depends_on = ["aws_nat_gateway.gateway"]
    lifecycle {
        create_before_destroy = true
    }
    tag {
        key = "Name"
        value = "Agent Instance"
        propagate_at_launch = true
    }
}

user_data脚本只是安装apache web服务器并启动它

我读了这篇文章，link，我的代码看起来和我一样，有人能解释一下我哪里出了错吗？

没有nat-gateway(和ASG在公共子网中)，一切都可以正常工作，但使用ALB访问已经在互联网中可见的实例就没有意义了。

Answer 1

您的总体架构是正确的，尽管仍然存在一些错误：

1. 不正确的AZ:

 availability_zone       = "$eu-central-1a"

1. 又错了AZ:

 availability_zone       = "eu-central-1"

ALB必须在两个不同的AZ中，也许你应该有"eu-central-1a"和"eu-central-1b"