Help Center/ Elastic Load Balance/ FAQs/ ELB Use/ Service Abnormality/ Why Can't I Access My Backend Servers Through a Load Balancer?
Updated on 2023-03-30 GMT+08:00

Why Can't I Access My Backend Servers Through a Load Balancer?

Symptom

This FAQ provides guidance for you to troubleshoot the following problems:

  • Backend servers cannot be accessed through a load balancer.
  • You can access the load balancer from a private IP address, but not from a public IP address.
  • Backend servers are considered unhealthy.

Background

Figure 1 shows how clients access backend servers through a load balancer.

  1. The public network load balancer uses an EIP to receive traffic over the Internet, while the private network load balancer receives traffic from within the VPC.
  2. The load balancer receives incoming traffic using the frontend protocol and port configured for the listener.
  3. The listener checks the health of backend servers. Only healthy backend servers can receive traffic from the listener.
  4. The listener forwards the traffic to backend servers based on their weights and the listening rules.

Generally, the problem is probably caused by an access control issue (the parts in yellow) or a health check setting (the green parts).

Troubleshooting should start with backend servers, then move on to the load balancer, and finally to the clients.

Figure 1 How clients access backend servers through a load balancer

Troubleshooting Process

Figure 2 Troubleshooting process
  1. Check whether the backend server can be accessed directly. Use the client to access the backend server and verify that the backend server configuration and application configuration are correct.
  2. Check whether the health check is enabled on the console.
  3. Check whether the health check result of the backend server on the console. If the backend server is unhealthy, the load balancer will not route traffic to it.
  4. Check whether the weight and port of the backend server are correctly configured on the console.
  5. Check whether access control is enabled and the IP address of the client is allowed to access the listener on the console.

Step 1: Check Whether the Backend Server Can Be Accessed Directly

Use a client to access the backend server to determine whether the fault is caused by the load balancer or backend server. To do so, ensure that the network ACL rules allow network communication between the client and backend server are enabled.

  • Clients on the public network: Bind an EIP to the backend server. After the verification is complete, release the EIP.
  • Clients on the private network: No EIP is required. If the client is in another VPC, set up a VPC peering connection.

If the fault persists, go to Step 2: Check Whether the Health Check Is Enabled.

Step 2: Check Whether the Health Check Is Enabled

If the client can access the backend server directly, check whether the health check is enabled. If the health check is enabled but the backend server is detected unhealthy, the load balancer will not route traffic to it.

  1. Log in to the management console.
  2. In the upper left corner of the page, click and select the desired region and project.
  3. Hover on in the upper left corner to display Service List and choose Networking > Elastic Load Balance.
  4. Click the name of the load balancer.
  5. On the Backend Server Groups tab page, check whether the health check is enabled.
    • If the health check is enabled, go to Step 3: Check Whether the Backend Server Is Healthy.
    • If the health check is not enabled:
      • Shared load balancers: Check whether the security group rules of the backend servers and network ACL rules allow traffic from 100.125.0.0/16.
      • Dedicated load balancers: Check whether the backend security group rules allow access from the VPC CIDR block where the ELB backend subnet works.

      This CIDR block is used by ELB to access backend servers and has no security risks. If traffic is allowed but the fault persists, go to Step 4: Check Whether the Backend Server Configuration Is Correct.

    • Load balancers: If IP as a Backend is not enabled for a load balancer that has a TCP or UDP listener, there is no need to configure security group rules and Network ACL rules to allow traffic from the backend subnet where the load balancer is deployed to the backend servers.

Step 3: Check Whether the Backend Server Is Healthy

If the health check is enabled but the backend server is detected unhealthy, the load balancer will not route traffic to it. Locate the listener, click the Backend Server Groups tab on the right, and view the health check result of the backend server.

If the fault persists, go to Step 4: Check Whether the Backend Server Configuration Is Correct.

Step 4: Check Whether the Backend Server Configuration Is Correct

  1. Locate the listener, click the Backend Server Groups tab on the right, and view the backend server parameters. Note the following parameters:
    • Weight: If the weight is set to 0, traffic will not be forwarded to the server.
    • Backend port: It must be the same as the port used by the backend server.
  2. On the Listeners tab page, locate the TCP or UDP listener and check whether Transfer Client IP Address is enabled.
    • If this function is enabled, the load balancer uses the IP address of the client to access the backend server. In this case, configure security group and network ACL rules to allow access from this IP address.

      In addition, if this function is enabled, a server cannot be used as both the client and the backend server. This is because the backend server determines that the packet is sent by a local host based on the source IP address and will not return the response packet to the load balancer.

    • If this function is disabled, verify that the security group allows traffic from the corresponding IP address range to the backend server.
      • Ensure that the security group allows traffic from the backend subnet where the load balancer resides to the backend server.

If the fault persists, go to Step 5: Check Whether Access Control Is Enabled.

Step 5: Check Whether Access Control Is Enabled

On the Basic Information tab page of the listener, check whether access control is enabled and the client is allowed to access the listener.

Submit a Service Ticket

If the problem persists, submit a service ticket.