- Newest
- Most votes
- Most comments
Here are the things which you need to do -
- As you have already found out, have an internet facing NLB for the Global Accelerator endpoint. So, configure an internet gateway in the vpc.
- However, need to ensure that the NLB doesn't receive any traffic directly from the internet. This can be done by not allocating any public IP address for the NLB or the EC2 instances, and by not having a route for the internet gateway in the subnet route table.
To learn more, refer https://docs.aws.amazon.com/global-accelerator/latest/dg/secure-vpc-connections.html
Hello and thank you for taking the time to answer my question. As I already wrote "Within the vpc, there is another subnet that has an internet gateway." So item 1 is already done. For item 2, I had not paid attention to the issue of public ip addresses for the instance and nlb. I managed to do it for the subnet, then recreated the ec2 without public ip and recreated the nlb. But I think that internet facing nlb always have a public IP. As for the route, this is the issue: if I don't add it, I can't connect to the service. But if I add it then the NLB could receive internet traffic which I don't want.
Hi there ! Okay. Can you please confirm if you have the following setup currently.
- NLB is in a public subnet.
- EC2 instances(targets) are in a private subnet.
NLB don't have client IP preservation so the target instances sees the Global Accelerator IP addresses in the packets. To ensure that all traffic comes from the GA, we can update the security group of the target EC2 instances with the list of GA IP addresses. Refer this link for the configuration - https://repost.aws/knowledge-center/globalaccelerator-limit-endpoint-access-by-securitygroup. Alternatively(easier approach), use the GA security group as the source in the EC2 security group. Please note that GA creates a specific security group for each VPC.
I have all that except for the NLB which is on a private subnet (meaning a subnet without an internet gateway). Because if there is an internet gateway (meaning a route in the subnet route table that routes traffic to and from the internet gateway) in the NLB subnet, how do I ensure that the NLB only get traffic from the global accelerator?
I tried adding a route to the private subnet: 0.0.0.0/0 to the network interface of the global accelerator but that does not solve the problem.
there is the same question here by the way https://repost.aws/questions/QUahnyBTcxQXywDFkqUHZkJQ/global-accelerator-nlb-and-private-subnets#COvFcrZpUmTNO6lTLkuW9mxg but it is unanswered
Relevant content
- Accepted Answerasked 5 years ago
- asked 5 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
As a side note, if I add an internet gateway to the subnet, then it all works fine.