Is there health check url I can use in Boundary?

Hi, I’m trying to attach ALB to Boundary Controllers. However, I can’t find a API that I can use as a health check path. Any suggestions ?

resource "aws_lb" "boundary" {
  name               = "boundary"
  load_balancer_type = "application"
  internal           = false
  subnets            = data.terraform_remote_state.network.outputs.tokyo_vpc_main.public_subnet_ids

}

resource "aws_lb_listener" "boundary_http" {
  load_balancer_arn = aws_lb.boundary.arn
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type             = "redirect"
		
		redirect {
      port = 443
			protocol = "HTTPS"
			status_code = "HTTP_301"
		}
  }
}

resource "aws_lb_listener" "boundary_https" {
  load_balancer_arn = aws_lb.boundary.arn
  port              = "443"
  protocol          = "HTTPS"
	ssl_policy        = "ELBSecurityPolicy-2016-08"
	certificate_arn   = "MYARN"

  default_action {
    type             = "forward"
		target_group_arn = aws_lb_target_group.boundary.arn
  }
}

resource "aws_lb_target_group" "boundary" {
  name     = "boundary"
  port     = 9200
  protocol = "HTTP"
  vpc_id   = data.terraform_remote_state.network.outputs.tokyo_vpc_main.vpc_id
}

resource "aws_lb_target_group_attachment" "boundary" {
  count            = var.num_controllers
  target_group_arn = aws_lb_target_group.boundary.arn
  target_id        = aws_instance.controller[count.index].id
  port             = 9200
}

resource "aws_security_group" "controller_lb" {
  vpc_id = data.terraform_remote_state.network.outputs.tokyo_vpc_main.vpc_id

}

resource "aws_security_group_rule" "allow_9200" {
  type              = "ingress"
  from_port         = 9200
  to_port           = 9200
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.controller_lb.id
}

We don’t have a steadfast health check endpoint yet, but you can use the root path on the controller API server as we do here.

Did you ever get this to work? I get unhealthy status (Request timed out) on port 9200 from the ALB. I can access just fine over the controller’s EIP so it’s a health check issue. I’m using a self signed cert but a search shows that ALB doesn’t do any kind of cert validation. Maybe TLS version incompatibility (Boundary only supports 1.3)? I’m not sure.

You could have your healthcheck not verify the ca when performing the check.

From my research it doesn’t appear the load balancer target group health check even validates the CA. And indeed, the AWS Terraform documentation doesn’t indicate a setting for that: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group#health_check

Sadly, the AWS Load Balancer documentation states that there is no way to get any error messages from the health check service either for troubleshooting purposes. So I really have no idea why it doesn’t work. My only idea is that maybe the health check doesn’t support TLS 1.3 (or there is a cipher suite mismatch), which Boundary only uses, if I understand correctly.

Ouch! I feel your pain. It’s probably too much of a hassle for you to roll your own loadbalancer (like HAProxy) for you to control. It can perform TLS 1.3 checks.

Actually, health checks don’t work even over HTTP. Has anyone succeeding in using AWS Application Load Balancer for Boundary controllers??

EDIT: My load balancer was missing its egress rule, which caused all health checks to fail. Sadly, HTTPS health checks still don’t work :frowning:

Boundary does not require TLS 1.3 but defaults to a min version of 1.2 and max of 1.3. You can set those values yourself (TCP - Listeners - Configuration | Boundary by HashiCorp) if you want to try lower TLS levels. You can also change allowed ciphers if you want to.

I don’t have any concrete advice but tweaking those various parameters may help.