How can I resolve the errors that I received for the failing CloudWatch canary I created in my VPC?

4 minuto de leitura
0

My Amazon CloudWatch canary in a virtual private cloud (VPC) receives an error and fails.

Short description

Creating a canary in a VPC also creates an AWS Lambda function with an elastic network interface in the specified VPC subnets. These elastic network interfaces have no public IP addresses by default, even if they're added to public subnets. To write logs to Amazon Simple Storage Service (Amazon S3) and publish data points to CloudWatch, the canary must have access to the following endpoints:

  • Amazon S3 endpoint
  • CloudWatch Monitoring endpoint

If your canary has problems accessing either of these endpoints, then you receive one of the following error messages:

  • TimeoutError: Navigation Timeout Exceeded:30000ms exceeded: You receive this error if a response from your monitored endpoint exceeds the timeout period that's configured for the page.goto method. For example, suppose that your configuration is "const response = await page.goto(URL, {waitUntil: 'domcontentloaded', timeout: 30000});". Because the timeout is 30 seconds, a response that exceeds 30 seconds results in this error.
    -or-
    You receive this error if a security group, network access control list (ACL), or routing table doesn't allow access to the canary's endpoint.
  • No test result returned. Connection timed out after 30000ms and No artifacts were uploaded: You receive these errors if your canary doesn't have access to either CloudWatch Monitoring or Amazon S3 endpoints. If there are no data points in canary metrics, then your canary doesn't have access to CloudWatch Monitoring. If there are data points in canary metrics, then your canary has access to CloudWatch Monitoring but not Amazon S3. Note that 30000ms reflects the timeout period that's configured on the canary.

At any point, you can test your canary's internet connectivity with the VPC Reachability Analyzer.

Resolution

Resolve "Navigation timeout" errors

Confirm that the security group that's attached to the canary has these properties:

  • It must have an outbound rule that allows connections between the configured port and the IP address of the monitored endpoint.
  • It must allow outbound traffic to port 443. Note that Amazon S3 and CloudWatch Monitoring endpoints are reachable through HTTPS. If necessary, add an outbound rule using HTTPS (TCP port 443) for Type and 0.0.0.0/0 for Destination.
  • The network ACL in the canary subnet must allow inbound and outbound access.
    For inbound access: Allow ephemeral ports to access the source address and port of your endpoint IP address. Allow ephemeral ports to access 0.0.0.0/0 for port 443.
    For outbound access: Allow access to the Destination address and port of your endpoint IP address. Allow the Destination access to 0.0.0.0/0 for port 443.
  • Confirm that your endpoint responds within the configured timeout period.

To find your endpoint respond time, run the following command:

time curl http/(s)://[your Endpoint IP/DNS]:Port

In the canary code, change the heartbeat timeout to exceed your endpoint respond time:

const response = await page.goto(URL, {waitUntil: 'domcontentloaded', timeout: 30000});

Resolve "No artifacts were uploaded" or "No test result returned" errors

Add the canary to private subnets with 0.0.0.0/0 as the network address translation (NAT) gateway or NAT instance:

1.    Create a NAT gateway.

2.    Update the canary's private subnet routing table. For information on using NAT Gateways as a destination in a route table, see Routing to a NAT device.

-or-

Add the canary to private subnets with the VPC endpoints for Amazon S3 and CloudWatch Monitoring:

1.    Create a gateway endpoint for the Amazon S3 endpoint.
Note: For Service name, search for Amazon S3, and then select com.amazonaws.region.s3.

2.    Create an interface endpoint for the CloudWatch Monitoring endpoint. Be sure to select the Enable DNS name check box.
Note: For Service name, search for monitoring, and then select com.amazonaws.[region].monitoring. Be sure to select the Enable DNS name check box.

AWS OFICIAL
AWS OFICIALAtualizada há um ano