Why Can't I Access My Backend Servers Through a Load Balancer?
Symptom
This FAQ provides guidance for you to troubleshoot the following problems:
- Backend servers cannot be accessed through a load balancer.
- You can access the load balancer from a private IP address, but not from a public IP address.
- Backend servers are considered unhealthy.
Background
Figure 1 shows how clients access backend servers through a load balancer.
- The public network load balancer uses an EIP to receive traffic over the Internet, while the private network load balancer receives traffic from within the VPC.
- The load balancer receives incoming traffic using the frontend protocol and port configured for the listener.
- The listener checks the health of backend servers. Only healthy backend servers can receive traffic from the listener.
- The listener forwards the traffic to backend servers based on their weights and the listening rules.
Generally, the problem is probably caused by an access control issue (the parts in yellow) or a health check setting (the green parts).
Troubleshooting should start with backend servers, then move on to the load balancer, and finally to the clients.
Troubleshooting Process
- Check whether the backend server can be accessed directly. Use the client to access the backend server and verify that the backend server configuration and application configuration are correct.
- Check whether the health check is enabled on the console.
- Check whether the health check result of the backend server on the console. If the backend server is unhealthy, the load balancer will not route traffic to it.
- Check whether the weight and port of the backend server are correctly configured on the console.
- Check whether access control is enabled and the IP address of the client is allowed to access the listener on the console.
Step 1: Check Whether the Backend Server Can Be Accessed Directly
Use a client to access the backend server to determine whether the fault is caused by the load balancer or backend server. To do so, ensure that the network ACL rules allow communications between the client and backend server.
- Clients on the public network: Bind an EIP to the backend server. After the verification is complete, release the EIP.
- Clients on the private network: No EIP is required. If the client is in another VPC, set up a VPC peering connection.
If the fault persists, go to Step 2: Check Whether the Health Check Is Enabled.
Step 2: Check Whether the Health Check Is Enabled
If the client can access the backend server directly, check whether the health check is enabled. If the health check is enabled but the backend server is detected unhealthy, the load balancer will not route traffic to it.
- Log in to the management console.
- In the upper left corner of the page, click and select the desired region and project.
- Click in the upper left corner to display Service List and choose Networking > Elastic Load Balance.
- Click the name of the load balancer.
- On the Listeners tab, check whether the health check is enabled.
- If the health check is enabled, go to Step 3: Check Whether the Backend Server Is Healthy.
- If the health check is not enabled:
- Shared load balancers: Check whether the security group rules of the backend servers and network ACL rules allow traffic from 100.125.0.0/16.
- Dedicated load balancers: Check whether the backend security group rules allow access from the VPC CIDR block where the ELB backend subnet works.
This CIDR block is used by ELB to access backend servers and has no security risks. If traffic is allowed but the fault persists, go to Step 4: Check Whether the Backend Server Configuration Is Correct.
- Shared load balancers: If Transfer Client IP Address is enabled for a TCP or UDP listener, there is no need to configure security group rules and Network ACL rules to allow traffic from 100.125.0.0/16 and client IP addresses to backend servers.
- Dedicated load balancers: If IP as a Backend is not enabled for a load balancer that has a TCP or UDP listener, there is no need to configure security group rules and Network ACL rules to allow traffic from the backend subnet where the load balancer is deployed to the backend servers.
Step 3: Check Whether the Backend Server Is Healthy
If the health check is enabled but the backend server is detected unhealthy, the load balancer will not route traffic to it.
- If the backend server is unhealthy, rectify the fault by referring to How Do I Troubleshoot an Unhealthy Backend Server?
- If the backend server is healthy, go to Step 4: Check Whether the Backend Server Configuration Is Correct.
If the fault persists, go to Step 4: Check Whether the Backend Server Configuration Is Correct.
Step 4: Check Whether the Backend Server Configuration Is Correct
- Choose Backend Server Groups > Backend Servers to view the backend server parameters:
- Weight: If the weight is set to 0, traffic will not be forwarded to the server.
- Backend port: It must be the same as the port used by the backend server.
- On the Listeners tab, locate the TCP or UDP listener and check whether Transfer Client IP Address is enabled.
- If this function is enabled, the load balancer uses the IP address of the client to access the backend server. In this case, configure security group and network ACL rules to allow access from this IP address.
In addition, if this function is enabled, a server cannot be used as both the client and the backend server. This is because the backend server determines that the packet is sent by a local host based on the source IP address and will not return the response packet to the load balancer.
- If this function is disabled, verify that the security group allows traffic from the corresponding IP address range to the backend server.
- Dedicated load balancers: Ensure that the security group allows traffic from the backend subnet where the dedicated load balancer resides to the backend server.
- Shared load balancers: Ensure that the security group allows traffic from 100.125.0.0/16 to the backend server.
- If this function is enabled, the load balancer uses the IP address of the client to access the backend server. In this case, configure security group and network ACL rules to allow access from this IP address.
If the fault persists, go to Step 5: Check Whether Access Control Is Enabled.
Step 5: Check Whether Access Control Is Enabled
On the Summary tab of the listener, check whether access control is enabled and the client is allowed to access the listener.
Submit a Service Ticket
If the problem persists, submit a service ticket.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot