Troubleshooting Health Checks

Troubleshooting health checks by blocking IP address ranges

Under certain circumstances, it's useful to purposefully fail health checks. You might need to force a particular VM to fail health checks as part of a troubleshooting activity, or you might want to have it fail health checks as part of its shutdown procedure.

You can force a health check or legacy health check to fail by temporarily blocking access to the health check IP ranges. This example shows you how to fail health checks using the iptables firewall software running on a Linux VM.

Blocking new health check and legacy health check probes might also block other new incoming connections. This is the case if your health check uses the same port as your service and if connections are sourced from the same health check IP ranges.

To cause a VM to fail health check and legacy health check probes, connect to it and run an iptables command like the following example, replacing [HEALTH_CHECK_PORT] with the appropriate TCP port number. If you need a VM to purposefully fail probes as it is shutting down, you can add iptables commands like these to a shutdown script followed by an appropriate delay based on the health check's check interval and unhealthy threshold.

$ sudo iptables -I INPUT 1 -m state --state NEW \
-s 35.191.0.0/16 -p tcp --destination-port [HEALTH_CHECK_PORT] \
-j REJECT --reject-with tcp-reset
$ sudo iptables -I INPUT 1 -m state --state NEW \
-s 130.211.0.0/22 -p tcp --destination-port [HEALTH_CHECK_PORT] \
-j REJECT --reject-with tcp-reset
$ sudo iptables -I INPUT 1 -m state --state NEW \
-s 209.85.152.0/22 -p tcp --destination-port [HEALTH_CHECK_PORT] \
-j REJECT --reject-with tcp-reset
$ sudo iptables -I INPUT 1 -m state --state NEW \
-s 209.85.204.0/22 -p tcp --destination-port [HEALTH_CHECK_PORT] \
-j REJECT --reject-with tcp-reset

To remove the iptables rules, run the following commands, replacing [HEALTH_CHECK_PORT] with the health check's TCP port.

$ sudo iptables -D INPUT -m state --state NEW \
-s 35.191.0.0/16 -p tcp --destination-port [HEALTH_CHECK_PORT] \
-j REJECT --reject-with tcp-reset
$ sudo iptables -D INPUT -m state --state NEW \
-s 130.211.0.0/22 -p tcp --destination-port [HEALTH_CHECK_PORT] \
-j REJECT --reject-with tcp-reset
$ sudo iptables -D INPUT -m state --state NEW \
-s 209.85.152.0/22 -p tcp --destination-port [HEALTH_CHECK_PORT] \
-j REJECT --reject-with tcp-reset
$ sudo iptables -D INPUT -m state --state NEW \
-s 209.85.204.0/22 -p tcp --destination-port [HEALTH_CHECK_PORT] \
-j REJECT --reject-with tcp-reset
¿Te sirvió esta página? Envíanos tu opinión:

Enviar comentarios sobre…