Help Center/ Elastic Load Balance/ User Guide (Kuala Lumpur Region)/ FAQ/ Service Abnormality/ Why Can't I Access My Backend Servers Through a Load Balancer?
Updated on 2024-04-19 GMT+08:00

Why Can't I Access My Backend Servers Through a Load Balancer?

Symptom

This FAQ provides guidance for you to troubleshoot the following problems:

  • Backend servers cannot be accessed through a load balancer.
  • You can access the load balancer from a private IP address, but not from a public IP address.
  • Backend servers are considered unhealthy.

Background

Figure 1 shows how clients access backend servers through a load balancer.

  1. The public network load balancer uses an EIP to receive traffic over the Internet, while the private network load balancer receives traffic from within the VPC.
  2. The load balancer receives incoming traffic using the frontend protocol and port configured for the listener.
  3. The listener checks the health of backend servers. Only healthy backend servers can receive traffic from the listener.
  4. The listener forwards the traffic to backend servers based on their weights and the listening rules.

Generally, the problem is probably caused by an access control issue (the parts in yellow) or a health check setting (the green parts).

Troubleshooting should start with backend servers, then move on to the load balancer, and finally to the clients.

Figure 1 How clients access backend servers through a load balancer

Troubleshooting Process

Figure 2 Troubleshooting process
  1. Check whether the backend server can be accessed directly. Use the client to access the backend server and verify that the backend server configuration and application configuration are correct.
  2. Check whether the health check is enabled on the console.
  3. Check whether the health check result of the backend server on the console. If the backend server is unhealthy, the load balancer will not route traffic to it.
  4. Check whether the weight and port of the backend server are correctly configured on the console.
  5. Check whether access control is enabled and the IP address of the client is allowed to access the listener on the console.

Step 1: Check Whether the Backend Server Can Be Accessed Directly

Use a client to access the backend server to determine whether the fault is caused by the load balancer or backend server. To do so, ensure that the network ACL rules allow communications between the client and backend server.

  • Clients on the public network: Bind an EIP to the backend server. After the verification is complete, release the EIP.
  • Clients on the private network: No EIP is required. If the client is in another VPC, set up a VPC peering connection.

If the fault persists, go to Step 2: Check Whether the Health Check Is Enabled.

Step 2: Check Whether the Health Check Is Enabled

If the client can access the backend server directly, check whether the health check is enabled. If the health check is enabled but the backend server is detected unhealthy, the load balancer will not route traffic to it.

  1. Log in to the management console.
  2. In the upper left corner of the page, click and select the desired region and project.
  3. Hover on in the upper left corner to display Service List and choose Network > Elastic Load Balance.
  4. Click the name of the load balancer.
  5. On the Listeners tab page, check whether the health check is enabled.

Step 3: Check Whether the Backend Server Is Healthy

If the health check is enabled but the backend server is detected unhealthy, the load balancer will not route traffic to it.

If the fault persists, go to Step 4: Check Whether the Backend Server Configuration Is Correct.

Step 4: Check Whether the Backend Server Configuration Is Correct

  1. Choose Backend Server Groups > Backend Servers to view the backend server parameters:
    • Weight: If the weight is set to 0, traffic will not be forwarded to the server.
    • Backend port: It must be the same as the port used by the backend server.
  2. On the Listeners tab page, locate the TCP or UDP listener and check whether Transfer Client IP Address is enabled.
    • If this function is enabled, the load balancer uses the IP address of the client to access the backend server. In this case, configure security group and firewallnetwork ACL rules to allow access from this IP address.

      In addition, if this function is enabled, a server cannot be used as both the client and the backend server. This is because the backend server determines that the packet is sent by a local host based on the source IP address and will not return the response packet to the load balancer.

    • If this function is disabled, verify that the security group allows traffic from the corresponding IP address range to the backend server.

If the fault persists, go to Step 5: Check Whether Access Control Is Enabled.

Step 5: Check Whether Access Control Is Enabled

On the Summary tab page of the listener, check whether access control is enabled and the client is allowed to access the listener.