Configuring internal network load balancer with EC2 instance in private VPC

2
votes

I created an internal network load balancer (NLB) to connect to EC2 instances on a private subnet. I want to restrict access to the EC2 instances only from the network load balancer. I used these instructions https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-register-targets.html#target-security-groups but it did not work.

Basically, I added the IP address of the network interface of the NLB to the security group with my specific port (eg: 8080 10.4.2.9/32) allowed but that did not work. When i switched to all allow (eg: 8080 0.0.0.0/32) it worked, but i do not want other instances to have access to the ec2 instance.

Any ideas on why this is not working? Thanks

2
amazon-web-servicesnlb

2 Answers

1
votes

For what you are trying to accomplish, NLB is the wrong load balancer.

NLB is a layer 4 load balancer. This means that the IP address that you see (at the EC2 instance) is the IP address of the client and not the IP address of the load balancer. With NLB you must allow the client's IP address in your security group.

You want a layer 7 load balancer to implement what you want to do (block other systems in your VPC from accessing your EC2 instances directly). This means ALB or the classic ELB.

1
votes

If you're using a Network Load Balancer, update the security groups for your target instances, because Network Load Balancers do not have associated security groups.

  • If your target type is an IP, add a rule to your security group to allow traffic from your load balancer to the target IP.

  • If your target type is an instance, add a rule to your security group to allow traffic from your load balancer and clients to the target IP.

  • You can allow traffic in the EC2 instance security group. As your instance is in private subnet for that you need to lunch load balancer in the same region but in public subnet.

Know about your use case first.

Best use cases for Network Load Balancer:

  • When you need to seamlessly support spiky or high-volume inbound TCP requests.
  • When you need to support a static or elastic IP address.
  • If you are using container services and/or want to support more than one port on an EC2 instance. NLB is especially well suited to ECS (The Amazon EC2 Container Service).

security-group-load-balancer

new-network-load-balancer-effortless-scaling-to-millions-of-requests-per-second

what-is-a-network-load-balancer