2回答
- 新しい順
- 投票が多い順
- コメントが多い順
1
You should set your ALB's security group inbound rules to accept HTTP/S traffic only from the security group that is associated to the NLB.
This way the ALB will only accept inbound traffic from the NLB regardless the source IP (it will take care to allow both the health checks originated from the NLB network interfaces IP and the traffic originated by the clients that the NLB preserves.
回答済み 2ヶ月前
0
This article should help: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html.
I would do as follows:
Security group for public ALB: Inbound :NLB client IP, 443, VPC Cidr of the NLB Outbound: instances behind ALB
Doesn't the NLB preserve the source IP?
It does but I think it depends on how you then register the target: https://repost.aws/knowledge-center/elb-capture-client-ip-addresses.
For Network Load Balancers, register your targets by instance ID to capture client IP addresses without additional web server configuration. For instructions, see Target group attributes instead of the following resolutions.
For Network Load Balancers when you can register only IP addresses as targets, activate proxy protocol version 2 on the load balancer. For instructions, see Enable proxy protocol instead of the following resolutions.