By using AWS re:Post, you agree to the Terms of Use

Is it possible to setup a NLB forwarding to ALB having NLB endpoint secured?



I have an NLB( internet-facing, public subnet) forwarding traffic to ALB(internal; private subnet) with ECS backend services. That works great , but essentially what I want is to have, but haven't found a way to make that work. Is this even possible?

What I am trying to do is pretty much is outlined in this question

2 Answers

I want to clarify your question first. I think it is "I want to connect to the NLB using as the DNS name rather than the default NLB name; and I want the ALB to do the TLS offload using as the certificate name."

If that's the case, what you need to do is create a DNS record (in Route 53 or your DNS provider) for and point that to the IP addresses of the NLB. Configure the NLB for TCP/443 (not HTTPS) because then it will forward the TCP session to the ALB.

Now, the clients can resolve to the NLB IP address which connects to the ALB which then presents the correct certificate.

profile picture
answered 17 days ago
  • This is what I love about AWS - there's always something new to learn even when you work here. Good info in the documentation that you've shown. You definitely want a TCP listener on NLB because you want it to pass the session directly through to the ALB. The ALB must be configured to listen for HTTPS. I'm not sure where that error is coming from but some extra debug output might be handy here.

  • Well, researched that error and it got me even thinking more A client TLS negotiation error means that a TLS connection initiated by the client was unable to establish a session with the load balancer. TLS negotiation errors occur when clients try to connect to a load balancer using a protocol or cipher that the load balancer's security policy doesn't support.

    So it feels like I am back where I started. Have to try again and check Client TLS Negotiation errors on the Monitoring tab. Still not quite sure whether or not this is possible.

  • You are interpreting it correctly, yes. I already have a record in Route53 but I tried to setup not TCP/443 but TLS/443 on NLB, however this is when things don't work - TLS listeners on Network Load Balancers cannot forward to ALB-type target groups. If you have a use case to terminate TLS, we recommend using HTTPS listeners on your ALB as mentioned here -

    Then in the docs -, I've found under Step 3, 7a: For Listeners, the default is a listener that accepts TCP traffic on port 80. Only TCP listeners can forward traffic to an Application Load Balancer target group. Keep the listener protocol set to TCP, but you can modify the port as required. This setup allows you to use HTTPS listeners on the Application Load Balancer to terminate the TLS protocol.

    Tried setting up forwarding from http rule to https rule but that doesn't work. Now if I tried what you suggested TCP/443 on NLB I get SSL error - error:1408F10B:SSL routines:ssl3_get_record:wrong version number.

  • What the NLB should do when you select TCP/443 is send traffic directly to the ALB without modifying the payload. What happens if you try and connect to the ALB directly? You might have (temporarily) set up an EC2 instance in the VPC to do that; but it's worth trying.


Hi @rePost-User-2569874,

Elastic Load Balancing now supports forwarding traffic directly from Network Load Balancer (NLB) to Application Load Balancer (ALB). With this feature, you can now use AWS PrivateLink and expose static IP addresses for applications built on ALB

If the Answer is helpful, please click Accept Answer & UPVOTE, this can be beneficial to other community members.

profile picture
answered 17 days ago
  • Hi @learn2skills,

    Could you please elaborate on why enabling VPC endpoint services is needed ?

    As per the docs - To use the Network Load Balancer that you set up in the previous step as an endpoint for private connectivity, you can enable AWS PrivateLink. This establishes a private connection to your load balancer as an endpoint service.

    I m confused on to why I needed a private connectivity to my NLB , as per definition - AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet. I am exposing NLB to the public internet and I am trying to understand whether or not I can use https listener rules on ALB.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions