connecting NLB in a different account to internal ALB in different account

The setup you're describing - using a Network Load Balancer (NLB) in one account to route traffic to an Application Load Balancer (ALB) in a different account - is possible, but with some considerations and additional configurations.

Here are the steps to make this work:

• VPC Peering or Transit Gateway: Ensure there is connectivity between the two VPCs in different accounts. You mentioned you're using Transit Gateway (TGW) which should provide the necessary routing. Make sure the routing tables are correctly configured to allow traffic flow between the two VPCs.

• NLB Configuration: The NLB in VPC A needs to be configured to forward traffic to the IP address of the ALB in VPC B. An NLB can forward traffic to an IP target, which can be an IP address from the CIDR of the peered VPC or the TGW.

• Security Groups and NACLs: Make sure that the security groups attached to the ALB in VPC B and Network ACLs allow incoming traffic from the IP address range of VPC A.

• Private Link (Optional): Instead of using VPC peering or TGW, another possible solution is to use AWS PrivateLink. AWS PrivateLink simplifies the security of data shared with cloud-based applications by eliminating the exposure of data to the public Internet. You can use interface VPC endpoints powered by AWS PrivateLink to connect your NLB to your ALB privately.

Please note that it's not a best practice to expose your ALB directly to the internet via NLB. If you need to expose your services to the internet, you should use ALB or NLB directly, as they provide native integrations with AWS services such as AWS WAF and AWS Shield for security protections.