Introduction

A health check that returns 301 can make a healthy application look broken to the load balancer. Many platforms expect a plain 200 response from a lightweight endpoint, not a redirect to login, HTTPS, or a canonical hostname. The clean fix is to give the load balancer a purpose-built path that stays stable regardless of user-facing redirect logic.

Symptoms

  • Instances are marked unhealthy even though the app works in a browser
  • Traffic drains from good servers after a deploy or redirect change
  • Health check logs show 301 or 302 instead of 200
  • The outage affects only traffic behind the load balancer
  • The problem started after forcing HTTPS or adding canonical host redirects

Common Causes

  • The health check path redirects from HTTP to HTTPS instead of returning 200 directly
  • The application redirects unauthenticated requests to a login page
  • Host header mismatches trigger a canonical domain redirect
  • The chosen path is not intended for monitoring and inherits normal user-facing redirect behavior
  • Middleware or reverse proxy rules rewrite the health check request before it reaches the app

Step-by-Step Fix

  1. Inspect the exact load balancer health check configuration, including protocol, host header, path, and expected response code.
  2. Request that same path manually with the same protocol and host assumptions so you can reproduce the 301 precisely.
  3. Create or select a simple monitoring endpoint that returns 200 without requiring redirects, cookies, or authentication.
  4. Update the health check to use that endpoint instead of a homepage or login-sensitive path.
  5. If host-based routing is involved, make sure the health check sends the correct host header for the target service.
  6. Review web server and application redirect rules to confirm they no longer catch the monitoring endpoint.
  7. Retest until the load balancer marks the target healthy consistently across all instances.
  8. Keep the health endpoint lightweight so it reflects app readiness without depending on fragile user-facing flows.
  9. Document the monitoring contract so future redirect or auth changes do not accidentally break infrastructure health checks.