Security group for Application Load Balancer behind Network Load Balancer doesn't work

1
votes

I have a few web apps with an application load balancer sitting in front of them. They can only be accessed through split tunnel VPN. The problem is we use VPN split tunneling to route only traffic through the tunnel (meaning certain IP addresses). Since ALB doesn't work with EIP so we have to put NLB in front of ALB.

Checking the log file, we can see that ALB only see NLB's private IP so the security group attached to ALB doesn't work.

My question is how can we config ALB/NLB for ALB to see request's IP so security group attached to ALB can work?

1
amazon-web-servicesamazon-elbaws-security-group

1 Answers

0
votes

Not sure about ALB's, but, you can enable proxy protocol on NLB target group, put NGINX between NLB and ALB and filter traffic in NGINX.

Enable Proxy Protocol on NLB target group: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#proxy-protocol

Accepting the PROXY Protocol in nginx: https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/