By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Connect to a UDP Port of EC2 instance in a Private subnet through NLB

0

Hello all,

I'm trying to connect to an EC2 instance deployed in a Private subnet through a Network Load Balancer (NLB). The goal is to connect through the NLB on different TCP and UDP ports. In our company for security policies we cannot directly expose an EC2 instance with public IP, so we have to go through an NLB.

I've looked online for so many solutions, but they often talk about ALB or ELB, and no one discusses the case of UDP ports. I have been trying for months without success.

I have tried several approaches, but in all of them something does not work as I would like.

In all the ways I tried, I made sure that:

  1. there is a NAT Gateway for instances in private subnet.
  2. there is an Internet Gateway for NLB in public subnet.
  3. NLB is Internet-facing and in the public subnet
  4. Route tables public subnet: 0.0.0.0/0 -> IGW and 10.10.0.0/16 -> local
  5. Route tables private subnet: 0.0.0.0/0 -> NAT and 10.10.0.0/16 -> local
  6. security group of EC2 instance admit connection on requested port from all sources (0.0.0.0/0)
  7. NACL's of Subnets allow all traffic on 0.0.0.0/0

10.10.0.0/16 is the CIDR of my VPC.

My tries:

  1. NLB with Elastic IP and EC2 Instance in private subnet: I can connect to the instance with TCP ports, but I can't create targets and listeners that uses UDP ports (error Network Load Balancers used with AWS PrivateLink cannot have TCP_UDP listeners.).
  2. NLB with IP "Assigned by AWS" and EC2 Instance in private subnet: I try to connect in both TCP and UDP, using NLB's DNS, but I always get "Timeout" error, I can't get to EC2 instance. Here, however, I could create targets and listeners that uses UDP ports.

Could you help me understand how to achieve the goal? Is there any support (even paid support) to get an answer? Thank you

Best Regards Davide

Topics
Networking & Content DeliveryCompute
Tags
Amazon VPCAmazon EC2Networking & Content DeliveryNetwork Load Balancer
Language
English
davi_maf90
asked a year ago869 views
1 Answer
0

Hi Davide,

One thing to consider is that with NLB the default setting for UDP listeners is to preserve the client IP. With what you have described, this would be asynchronous flow (client -> NLB -> target -> NAT -> IGW) which explains why TCP is working as that protocol can handle such traffic.

I would suggest checking the Client IP Preservation for your target groups and let us know. Documentation about Client IP Preservation can be found here

Please let us know how it goes!

AWS
AWS-User-0357409
answered a year ago
  • davi_maf90
    a year ago

    Hi AWS-User-0357409, the Client IP Preservation check is enabled on the target group. The problem is that even a simple connection to TCP 22 is not working in the case 2, where the NLB use "Assign by AWS" IP. The same machine with the same Target make me connect to TCP 22 just using the NLB with Elastic IP.

    it seems that with NLB with Assigned by AWS it is not possible to connect in any way, if I can access at least SSH maybe the UDP port might also work.

    My application case is to create an EC2 instance with Omniverse NVIDIA inside, which uses TCP and UDP ports for streaming software: https://docs.omniverse.nvidia.com/app_streaming-client/app_streaming-client/user-manual.html#server

    Is there another way besides NLB, without publicly exposing the EC2 instance, to be able to access the TCP and UDP ports?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content