Configuration in AWS
External ALB -> VM-series 300 (in 2 AZ) -> Internal ALB ->webserver
The target group of the external ALB shows unhealthy for port http/80
External NLB ->VM-series 300 (in 2 AZ)-> Internal NLB -> webserver
The target group of the external NLB shows healthy for port tcp/80 consistently
Why is the external ALB target group showing unhealthy ? randomly it goes healthy and then toggles
Security Groups are open to all on the untrusted interface.
Watch your routes on the firewall. The ALB fires its health probes cross zone. If you are using DHCP on your interfaces, ensure that only your Untrust interface is configured to import the Default route. You will then want to put a static route for any internal subnets that are not directly connected to your Trust interface subnet pointing to the first IP of your trust subnet.
Additionally, change your management interface a static DNS server set to the second IP address of the VPC CIDR. We had an issue in older versions of 8.1 where we were not importing the DHCP assigned DNS server.
The addresses are static and the default routes are correct. We use the transit gateway to connect to other accounts. In addition using an NLB in a sandwich mode works without issues.
Are you using FQDN DNAT objects for NLB and ALB? ALB IP addresses change more frequently which is why I mention the static configuration of the DNS servers. Feel free to post your Route Table from the firewall for review.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!