Creating an ELB load balancer with private subnet instances in a VPC

I was facing massive issues with an ELB configuration which had the following set up:

  • All instance were part of an AWS VPC
  • Three subnets, one public, two privates
  • Both private subnet contained the web containers (tomcat) in two different availability zones

The issue that I was facing was that whatever I did, the LB wasn’t routing requests to my instances. The initial configuration was such that my ELB instances were part of the same subnets as my tomcat instances. As such, using curl against those always worked, but not using the ELB’s public address.

After some frustrating googling, I came up with the solution:

1. Your ELB instances cannot be launched in a private network attached to an Internet Gateway (NAT instance).

2. Conversely, you need to set up public networks which “shadow” your private networks in the same respective availability zones. In my case, I had two private subnets and; I created two public subnets and to accomodate my ELB instances.

3. You need to add routing from those new public subnets to your private original subnets, i.e. add the public route to these subnets and add the internet gateway for accessing the private networks. You can set this up in VPC -> Subnets. Here’s an example:

Screen Shot 2014-09-11 at 11.32.56


In your subnet view, it should look like this:



Screen Shot 2014-09-26 at 09.00.19


Remember that the public shadow subnets (10.0.10.x and 10.0.20.x) are connected to the public route, while the private subnets (10.0.1.x and 10.0.2.x) are attached to the nat interface.

4. You also need to adjust your security groups. The new subnets need to have explicit access to your application’s ports in your private networks.

When you’ve done all that, you can create your ELB – if you already have an ELB that doesn’t work, delete it. Amazon will not properly clean up ELB instances in private subnets and you’ll end up with more nodes than you asked for, some of them not working.

These are screenshots describing the relevant sections of the ELB creation process:



Screen Shot 2014-09-03 at 09.38.40



Screen Shot 2014-09-03 at 09.38.04

This entry was posted in Distributed Computing and tagged , , . Bookmark the permalink.

14 Responses to Creating an ELB load balancer with private subnet instances in a VPC

  1. Chris Rowley says:

    Very helpful…!!!

  2. Can you please post a picture of your subnet screen? I think that would help me out tremendously with the same problem I have. Thank you!

  3. Thank you for posting that! That picture is directing to a different pic. I do have a question if you don’t mind. I have an instance within a private subnet that I want my public subnet to reach and dish out web pages with a load balancer. I think I’m on the right track as I can add my private subnet to the load balancer and it renders pages from a public web browser but if I place the public subnet to the load balancer it doesn’t render anything. How can I setup a load balancer that reaches the public subnet which in turn renders the pages from my private subnet? Thank you for any assistance you may be able to provide.

  4. itellity says:

    Hi Daniel,

    Just to understand your setup:

    You have a private subnet instance from which a public subnet instances pulls and post process data? That content should then be accessible from the Internet?

    If that’s the case, you’ll need to set up two ELBs, one internal and one external (you’ll see an option for that during set up). The internal ELB will point to your privat subnet, the public instance will access that internal ELB, the public ELB will point to your public instance.

    On important thing: ELBs are basically EC2 instances in their own right with a web server on it which acts as a reverse proxy (basically like Apache mod_proxy), Amazon spawns those in the subnet specified during set up. The issue is to make sure that routing and security groups are configured properly.

  5. Itellity, thank you for the response. This did help me figure it out. Thanks again!

  6. But if I place the ELB in a public subnet of its own and then connect it to private subnets, will the above “shadow public instances” still be required?

    • itellity says:

      That’s basically the equivalent approach, you need to make sure that your public subnet is in the same availability zone. In my case, i had to create a new subnet specifically for one of the two zones; I chise the shadow subnet approach for clarity.

  7. So have you run in to the scenario where your servers in the public subnet also need access to the internet? I am having trouble hooking up ELB while also allowing public subnet servers in my VPC access to the internet.

  8. Carrie says:

    It’s very helpful! I solved my elb problem.

  9. Hem Raj says:

    i have a question..if i create an elb in public subnet for internet facing and two application servers in different AZs with auto scaling can i connect these app servers with elb without shadows.will it work fine

  10. sumant says:

    If your are using Internet facing ELB attach the only public subnets to elb
    if your instance is in private subnet also attach public subnets to the Internet facing elb’s of same availability zone of your private instance

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s