Is there health check url I can use in Boundary?

Boundary
1

Hi, I’m trying to attach ALB to Boundary Controllers. However, I can’t find a API that I can use as a health check path. Any suggestions ?

resource "aws_lb" "boundary" {
  name               = "boundary"
  load_balancer_type = "application"
  internal           = false
  subnets            = data.terraform_remote_state.network.outputs.tokyo_vpc_main.public_subnet_ids

}

resource "aws_lb_listener" "boundary_http" {
  load_balancer_arn = aws_lb.boundary.arn
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type             = "redirect"
		
		redirect {
      port = 443
			protocol = "HTTPS"
			status_code = "HTTP_301"
		}
  }
}

resource "aws_lb_listener" "boundary_https" {
  load_balancer_arn = aws_lb.boundary.arn
  port              = "443"
  protocol          = "HTTPS"
	ssl_policy        = "ELBSecurityPolicy-2016-08"
	certificate_arn   = "MYARN"

  default_action {
    type             = "forward"
		target_group_arn = aws_lb_target_group.boundary.arn
  }
}

resource "aws_lb_target_group" "boundary" {
  name     = "boundary"
  port     = 9200
  protocol = "HTTP"
  vpc_id   = data.terraform_remote_state.network.outputs.tokyo_vpc_main.vpc_id
}

resource "aws_lb_target_group_attachment" "boundary" {
  count            = var.num_controllers
  target_group_arn = aws_lb_target_group.boundary.arn
  target_id        = aws_instance.controller[count.index].id
  port             = 9200
}

resource "aws_security_group" "controller_lb" {
  vpc_id = data.terraform_remote_state.network.outputs.tokyo_vpc_main.vpc_id

}

resource "aws_security_group_rule" "allow_9200" {
  type              = "ingress"
  from_port         = 9200
  to_port           = 9200
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = aws_security_group.controller_lb.id
}
2

We don’t have a steadfast health check endpoint yet, but you can use the root path on the controller API server as we do here.

3

Did you ever get this to work? I get unhealthy status (Request timed out) on port 9200 from the ALB. I can access just fine over the controller’s EIP so it’s a health check issue. I’m using a self signed cert but a search shows that ALB doesn’t do any kind of cert validation. Maybe TLS version incompatibility (Boundary only supports 1.3)? I’m not sure.

4

You could have your healthcheck not verify the ca when performing the check.

5

From my research it doesn’t appear the load balancer target group health check even validates the CA. And indeed, the AWS Terraform documentation doesn’t indicate a setting for that: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group#health_check

Sadly, the AWS Load Balancer documentation states that there is no way to get any error messages from the health check service either for troubleshooting purposes. So I really have no idea why it doesn’t work. My only idea is that maybe the health check doesn’t support TLS 1.3 (or there is a cipher suite mismatch), which Boundary only uses, if I understand correctly.

6

Ouch! I feel your pain. It’s probably too much of a hassle for you to roll your own loadbalancer (like HAProxy) for you to control. It can perform TLS 1.3 checks.

7

Actually, health checks don’t work even over HTTP. Has anyone succeeding in using AWS Application Load Balancer for Boundary controllers??

EDIT: My load balancer was missing its egress rule, which caused all health checks to fail. Sadly, HTTPS health checks still don’t work :frowning:

8

Boundary does not require TLS 1.3 but defaults to a min version of 1.2 and max of 1.3. You can set those values yourself (TCP - Listeners - Configuration | Boundary by HashiCorp) if you want to try lower TLS levels. You can also change allowed ciphers if you want to.

I don’t have any concrete advice but tweaking those various parameters may help.