A company has a production environment running on AWS. The environment includes an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The application is deployed using AWS CodeDeploy with a blue/green deployment strategy. Recently, the deployment started failing because the new instances do not pass the health checks configured on the ALB. The health check path is '/health'. The developer has verified that the application starts correctly and responds to the health check on the new instances when accessed directly via the instance's private IP. However, the health checks from the ALB are failing. The security group for the ALB allows inbound traffic on port 80 from 0.0.0.0/0, and the security group for the EC2 instances allows inbound traffic on port 80 from the ALB's security group. The VPC has both public and private subnets. The Auto Scaling group launches instances in private subnets. The ALB is in public subnets. What is the MOST likely cause of the health check failure?
Network ACLs are stateless and can block traffic even if security groups allow it.
Why this answer
Option A is correct because the ALB's health checks originate from its own IP addresses, which are in the public subnets. The instance security group must allow traffic from the ALB's security group, which it does. However, the issue might be that the instances have a restrictive network ACL on the private subnets that blocks inbound traffic from the ALB's subnet.
Option B is wrong because the application works when accessed directly. Option C is wrong because the health check path is correct. Option D is wrong because the ALB is in public subnets and can reach private instances via NAT if needed.