I want to connect to a load balancer in VPC A from my instance in VPC B. How can I access an internal load balancer using VPC peering?
Short description
To access an internal load balancer in VPC A from VPC B:
- Establish connectivity between VPC A and VPC B using VPC peering.
- Establish the necessary routes, security group rules, and network access control list (ACL) rules to allow traffic between the VPCs.
Resolution
Using VPC peering, you can access internal load balancers (including Classic Load Balancers, Application Load Balancers, and Network Load Balancers) from another VPC.
- Establish connectivity between your VPCs using VPC peering.
Note: VPC peering is available for intra-Region and inter-Region connectivity for local or cross-account VPCs.
- Verify that a route for the load balancer's subnets CIDR (or VPC CIDR) exists in the route table of the client subnet. The route must be directed towards the VPC peering ID of your VPCs. Similarly, verify that the route of the client subnet/VPC CIDR exists in the route table of the load balancer's subnets.
- Resolve the load balancer DNS name from your instance and use nslookup to verify it.
- If you're using a Classic Load Balancer or an Application Load Balancer: verify that the security group and network ACL allow traffic from either the complete subnet/VPC of the instance or the specific instance IP:
In the security group of the load balancer, allow only inbound traffic on the load balancer's listener port.
For the network ACL of the subnet, allow ingress traffic from the instance IP or subnet/VPC for the load balancer's listener port. In egress, be sure that the Ephemeral port range (1024 to 65535) allows return traffic from the load balancer nodes to the instance.
-or-
If you're using a Network Load Balancer, ensure that the traffic is allowed in the security group of the target instances
Note: Modify your security groups or network ACLs, as needed. If you haven't modified the network ACLs, there's a default rule to allow all (0.0.0.0/0) traffic. In this case, you don't need to modify the network ACLs. However, it's an AWS security best practice to allow traffic to and from specific CIDR ranges.
- Check that the security group of the instance permits outbound traffic to the load balancer associated with the subnets or default (0.0.0.0/0).
For the network ACL of the subnet, verify that there’s a rule in Egress to allow traffic for the load balancer's subnets on the load balancer's listener port. In Ingress, verify that there’s a rule to allow traffic to the instance IP/subnet on Ephemeral ports for response traffic .
Note: If you haven't modified these default settings, you don't need to make any changes to the default outbound rule (0.0.0.0/0) for the security group or the default ALLOW ALL rule for the network ACL of the subnet with the instance. However, it's an AWS security best practice to allow traffic to and from specific CIDR ranges.