I have set up a peering connection from one of our AWS accounts to another. Additionally, I introduced a private hosted zone that resolves to an private application load balancer that is supposed to route the incoming traffic to a single instance in one availability zone. Since the ALB requires two subnet associations, I created two private subnets in the VPC that each can route traffic to and from the peering connection and across all subnets within that VPC. The instance itself is directly attached to a public subnet. The ALB has one listener that routes traffic to the target group with the single instance based on the host header.
The issue I am having is that the ALB exposes two nodes (i.e. IP addresses) and the connection to the instance only works for one of them (i.e. through one private subnet which is in the same availability zone as the public network that the instance is connected to).
So the flow should be as follows:
- Request from EC2 in first AWS Account
- Requests hits the Route 53 DNS server in the second account
- EC2 receives the two IP addresses of the ALB in the second AWS account
- EC2 makes request through peering connection to ALB
- ALB evaluates the single target in the target group
- ALB routes traffic to the target EC2 in the second AWS account
As far as I understand, all subnets in a VPC can be reached from any other subnet within that same VPC across availability zones. The ALB should also be able to route traffic to availability zones which have healthy targets. I also tried to disable cross-zone load balancing on the target group, but without luck. Were am I getting it wrong here? Any suggestions are much appreciated.
**Reason for this architecture: ** We have an instance that we reach from a publicly available ALB but also need to connect to from the other AWS account. To prevent having to directly connect to the IP, I wanted to set up an internal domain.