Setting up Redash Instance in private subnet. EC2 status check failed

Question

Issue Summary

I would like to set up Redash Instance in private subnet, but it didn’t work well. The instance status check is “1/2 failed”. The question is whether there is some necessary setting in addition to the setting introduced in the website(https://redash.io/help/open-source/setup).

For your information, if I place the redash instance on the public subnet, it works well.

Technical details:

AMI: ami-060741a96307668be

EC2 size: t2.small

the private subnet has NAT Gateway

CloudFormation template is below.（I removed parameters because those were kind of secret information. The parameters are correct because I checked those parameters with public subnet. So please check the other part, Thank you.）

AWSTemplateFormatVersion: '2010-09-09'
Description: This template is used for creating redash analysis foundation
Resources:
  ####################################################################################################
  #### NetWork Setting
  ####################################################################################################
  RedashInstancePrivateSubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: ap-northeast-1a
      CidrBlock: !Ref PrivateSubnetACidrBlock
      VpcId: !Ref VpcId
 PrivateSubnetARoute:
   Type: AWS::EC2::SubnetRouteTableAssociation
   Properties:
     RouteTableId: !Ref PrivateSubnetRouteTable
     SubnetId: !Ref RedashInstancePrivateSubnetA
PrivateSubnetRouteTable:
Type: AWS::EC2::RouteTable
Properties:
    VpcId: !Ref VpcId
  NATGatewayForPrivateSubnetA:
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId: !GetAtt NATGatewayAEIP.AllocationId
      SubnetId: !Ref RedashALBPublicSubnetA
  NATGatewayAEIP:
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc
  PrivateARoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref PrivateSubnetRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref NATGatewayForPrivateSubnetA
  RedashALBPublicSubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: ap-northeast-1a
      CidrBlock: !Ref PublicSubnetACidrBlock
      VpcId: !Ref VpcId
  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VpcId
  PublicRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Sub ${InternetGatewayId}
  PublicSubnetARoute:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PublicRouteTable
      SubnetId: !Ref RedashALBPublicSubnetA
  ####################################################################################################
  #### Re:dash EC2 Instance
  ####################################################################################################
  RedashInstance:
    Type: AWS::EC2::Instance
    Properties:
      LaunchTemplate:
        LaunchTemplateId: !Ref RedashInstanceLaunchTemplate
        Version: !GetAtt RedashInstanceLaunchTemplate.LatestVersionNumber
      SubnetId: !Ref RedashInstancePrivateSubnetA
  RedashInstanceLaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      LaunchTemplateName: redash-isntance-lt
      LaunchTemplateData:
        SecurityGroupIds:
          - !Ref RedashInstanceSecurityGroup
        ImageId: ami-060741a96307668be
        InstanceType: t2.small
  RedashInstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: This Security Group is used for Re:dash Instance
      GroupName: redash-instance-sg
      SecurityGroupIngress:
          - IpProtocol: tcp
            FromPort: 80
            ToPort: 80
            SourceSecurityGroupId: !Ref RedashALBSecurityGroup
      VpcId: !Ref VpcId

From marcin's comment, I try the template below, but it did not work well, ec2 status check shows '1/2 failed'

AWSTemplateFormatVersion: '2010-09-09'
Description: This template is used for creating redash analysis foundation
Resources:
  ####################################################################################################
  #### NetWork Setting
  ####################################################################################################

  RedashInstancePrivateSubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: ap-northeast-1a
      CidrBlock: 172.18.0.0/24
      VpcId: <VPCID>
      Tags:
        - Key: Name
          Value: Private

  PrivateSubnetARoute:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PrivateSubnetRouteTable
      SubnetId: !Ref RedashInstancePrivateSubnetA


  PrivateSubnetRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
        VpcId: <VPCID>

  NATGatewayForPrivateSubnetA:
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId: !GetAtt NATGatewayAEIP.AllocationId
      SubnetId: !Ref RedashALBPublicSubnetA

  NATGatewayAEIP:
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc

  PrivateARoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref PrivateSubnetRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref NATGatewayForPrivateSubnetA

  RedashALBPublicSubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: ap-northeast-1a
      CidrBlock: 172.18.2.0/24
      VpcId: <VPCID>
      MapPublicIpOnLaunch: true
      Tags:
        - Key: Name
          Value: Public

  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: <VPCID>

  PublicRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: <INTERNETGATEWAYID>

  PublicSubnetARoute:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PublicRouteTable
      SubnetId: !Ref RedashALBPublicSubnetA
  ####################################################################################################
  #### Re:dash EC2 Instance
  ####################################################################################################
  RedashInstance:
    Type: AWS::EC2::Instance
    Properties:
      LaunchTemplate:
        LaunchTemplateId: !Ref RedashInstanceLaunchTemplate
        Version: !GetAtt RedashInstanceLaunchTemplate.LatestVersionNumber
      SubnetId: !Ref RedashInstancePrivateSubnetA

  RedashInstanceLaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      LaunchTemplateName: redash-isntance-lt
      LaunchTemplateData:
        SecurityGroupIds:
          - !Ref RedashInstanceSecurityGroup
        ImageId: ami-060741a96307668be
        InstanceType: t2.small

  RedashInstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: This Security Group is used for Re:dash Instance
      GroupName: redash-instance-sg
      SecurityGroupIngress:
          - IpProtocol: tcp
            FromPort: 80
            ToPort: 80
            CidrIp: 0.0.0.0/0
            #SourceSecurityGroupId: !Ref RedashALBSecurityGroup
      VpcId: <VPCID>

The template is incomplete. You are using `VpcId` but its not defined anywhere, nor passed as a parameter. Same for `InternetGatewayId`. — Marcin, Nov 22 '20 at 09:46
Sorry, I just removed those parameters because those are kind of secret information. I will add this explanation to my post, thank you. — 斯波隼斗, Nov 22 '20 at 09:48

score 1 · Accepted Answer · answered Nov 22 '20 at 10:38

I modified the template so that it works. I can only test in us-east-1 in my sandbox account, so I made changes for that region. You need to modify it further as your template is incomplete and I had to fill out a lot of blanks.

The template works and provisions the instance (from curl):

<div class="fixed-width-page">
  <div class="bg-white tiled">
    <h4 class="m-t-0">Welcome to Redash!</h4>
    <div>Before you can use your instance, you need to do a quick setup.</div>

Full working template:

AWSTemplateFormatVersion: '2010-09-09'
Description: This template is used for creating redash analysis foundation
Resources:
  ####################################################################################################
  #### NetWork Setting
  ####################################################################################################

  VpcId:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: 'true'
      EnableDnsHostnames: 'true'

  RedashInstancePrivateSubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: us-east-1a #ap-northeast-1a
      CidrBlock: "10.0.1.0/24"
      VpcId: !Ref VpcId
      Tags:
        - Key: Name
          Value: Private      

  PrivateSubnetARoute:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PrivateSubnetRouteTable
      SubnetId: !Ref RedashInstancePrivateSubnetA


  PrivateSubnetRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
        VpcId: !Ref VpcId
  

  NATGatewayForPrivateSubnetA:
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId: !GetAtt NATGatewayAEIP.AllocationId
      SubnetId: !Ref RedashALBPublicSubnetA

  NATGatewayAEIP:
    DependsOn: IGWAttachment
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc

  PrivateARoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref PrivateSubnetRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref NATGatewayForPrivateSubnetA

  RedashALBPublicSubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: us-east-1a #ap-northeast-1a
      CidrBlock: 10.0.0.0/24
      VpcId: !Ref VpcId
      MapPublicIpOnLaunch: true
      Tags:
        - Key: Name
          Value: Public

  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VpcId

  InternetGatewayId:      
    Type: AWS::EC2::InternetGateway
    Properties: {}

  IGWAttachment:    
    Type: AWS::EC2::VPCGatewayAttachment
    Properties: 
      InternetGatewayId: !Ref InternetGatewayId
      VpcId: !Ref VpcId
      #VpnGatewayId: String    

  PublicRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGatewayId

  PublicSubnetARoute:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PublicRouteTable
      SubnetId: !Ref RedashALBPublicSubnetA
  ####################################################################################################
  #### Re:dash EC2 Instance
  ####################################################################################################
  RedashInstance:
    Type: AWS::EC2::Instance
    Properties:
      LaunchTemplate:
        LaunchTemplateId: !Ref RedashInstanceLaunchTemplate
        Version: !GetAtt RedashInstanceLaunchTemplate.LatestVersionNumber
      SubnetId: !Ref RedashInstancePrivateSubnetA

  RedashInstanceLaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      LaunchTemplateName: redash-isntance-lt
      LaunchTemplateData:
        SecurityGroupIds:
          - !Ref RedashInstanceSecurityGroup
        ImageId: ami-0d915a031cabac0e0 #ami-060741a96307668be
        InstanceType: t2.small

  RedashInstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: This Security Group is used for Re:dash Instance
      GroupName: redash-instance-sg
      SecurityGroupIngress:
          - IpProtocol: tcp
            FromPort: 80
            ToPort: 80
            CidrIp: 0.0.0.0/0
            #SourceSecurityGroupId: !Ref RedashALBSecurityGroup
      VpcId: !Ref VpcId

Thank you for this information. When I try this template, it didn't work well, and the status check shows '1/2 failed'. I will add the template I used to this post. If you find out some problem, please tell me. — 斯波隼斗, Nov 22 '20 at 13:23
@斯波隼斗 The template works fine. The instance passes all status checks. If it fails, then it must be something wrong with your environment or changes you are introducing. — Marcin, Nov 22 '20 at 22:51
Thank you for the reply. When I recreated VPC and InternetGateway, your template worked fine! I'm not sure the cause of this problem, but really thank you for your help — 斯波隼斗, Nov 23 '20 at 07:38

Setting up Redash Instance in private subnet. EC2 status check failed

1 Answers1