Network Load Balancer to TCP Server in Private Subnet

3
votes

I'm trying to do (what I think is) a simple thing for a custom tcp server (a type of sftp):

Allow traffic to come in on port 2222 via an aws network load balancer and then be routed to instances in a private subnet.

I've done the same with an application load balancer and it works great.

But I can't get the network version working.

I'm wondering if this is even possible? I do get a warning when I create the network load balancer saying that there are no instances in my public subnet (which is true... all the instances are in the private subnet). But I weirdly don't get this error when creating an application load balancer with the same subnets.

Am I missing something here?

(I can ping my server no problem using a bastion host, so I know it's running. I've also opened port 2222 in all related security groups.)

Can network load balancers direct traffic to instances in a private subnet?

2
amazon-ec2load-balancing
I wouldn't be surprised if that didn't work. NLBs pass the traffic along unchanged, and don't have Security Groups. They are operating at a different network layer than ALBs. There's probably a good reason it is giving you the warning about no instances in the public subnet. You can't assume it will work just because it works for ALBs, they are fundamentally different. - Mark B

2 Answers

6
votes

NLB appears to modify the behavior of the network infrastructure, rather than being "hidden EC2 instance"-based like ALB or classic ELB, so a different network configuration is required.

The instances need to be on a public subnet with their default route pointing to the Internet Gateway in order to work with an outside-facing NLB, because unlike the other load balancer offerings, they don't return their response traffic to "the balancer's internal IP" since the balancer has no instance-facing IP address of its own, and the instances see the traffic as coming directly from the client IP.

4
votes

So what everyone responded with is absolutely correct.

The solution was to simply change the security group associated with the network interface that is in turn associated with my private subnets as follows:

2222 0.0.0.0/0

I had previously had it as

2222 10.0.0.0/16 (where 10.0.0.0/16 is my vpc)

and this doesn't work since clients could come from anywhere and they aren't coming from my network because the network load balancer passes off clients directly to the backend infrastructure.

This simple change fixed the problem right away.