NLB preserving client IP addresses in combination with NACL having source CIDR constraint

0

I have a VPC with two subnets, each subnet containing an EC2 instance accessible via port 80. There is a NACL associated with both subnets restricting inbound traffic to a certain source CIDR outside of AWS. An internet-facing NLB is configured to route traffic to the instances via instance id.

If "preserve client ip addresses" is disabled, everything works fine, requests originating from the correct CIDR are reaching port 80. But if it is enabled, my requests are timing out.

A solution is to add a rule to the NACL allowing inbound traffic from the VPC itself. This is in line with what the documentation says. But I don't understand why this is required only when preserving client ip addresses. It is preserving the source ip address, it should be covered by the original NACL.

I guess the answer is something like "... because Hyperplane", but I would like to have a deeper understanding.

randy
質問済み 2年前396ビュー
2回答
0

Does a security group associated with the EC2 instances permit traffic from the external source CIDR?

If the instance security group rules permit access from the VPC CIDR but not the external source CIDR, requests will succeed when client IP preservation is disabled (because the instances see requests coming from the NLB) and fail when client IP preservation is enabled (because the instances see requests coming from the external source CIDR).

AWS
MikeJ
回答済み 2年前
0

The security group associated with the instances is allowing port 80 from 0.0.0.0/0. I am even able to bypass the LB and talk to the instances directly from the external source CIDR.

randy
回答済み 2年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ