Is it possible to setup a NLB forwarding to ALB having NLB endpoint secured?

This is what I love about AWS - there's always something new to learn even when you work here. Good info in the documentation that you've shown. You definitely want a TCP listener on NLB because you want it to pass the session directly through to the ALB. The ALB must be configured to listen for HTTPS. I'm not sure where that error is coming from but some extra debug output might be handy here.

Well, researched that error and it got me even thinking more https://aws.amazon.com/premiumsupport/knowledge-center/elb-fix-ssl-tls-negotiation-error/ A client TLS negotiation error means that a TLS connection initiated by the client was unable to establish a session with the load balancer. TLS negotiation errors occur when clients try to connect to a load balancer using a protocol or cipher that the load balancer's security policy doesn't support.

So it feels like I am back where I started. Have to try again and check Client TLS Negotiation errors on the Monitoring tab. Still not quite sure whether or not this is possible.

You are interpreting it correctly, yes. I already have a record in Route53 but I tried to setup not TCP/443 but TLS/443 on NLB, however this is when things don't work - TLS listeners on Network Load Balancers cannot forward to ALB-type target groups. If you have a use case to terminate TLS, we recommend using HTTPS listeners on your ALB as mentioned here - https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/

Then in the docs - https://docs.aws.amazon.com/elasticloadbalancing/latest/network/application-load-balancer-target.html, I've found under Step 3, 7a: For Listeners, the default is a listener that accepts TCP traffic on port 80. Only TCP listeners can forward traffic to an Application Load Balancer target group. Keep the listener protocol set to TCP, but you can modify the port as required. This setup allows you to use HTTPS listeners on the Application Load Balancer to terminate the TLS protocol.

Tried setting up forwarding from http rule to https rule but that doesn't work. Now if I tried what you suggested TCP/443 on NLB I get SSL error - error:1408F10B:SSL routines:ssl3_get_record:wrong version number.

What the NLB should do when you select TCP/443 is send traffic directly to the ALB without modifying the payload. What happens if you try and connect to the ALB directly? You might have (temporarily) set up an EC2 instance in the VPC to do that; but it's worth trying.

Hi @learn2skills,

Could you please elaborate on why enabling VPC endpoint services is needed ?

As per the docs - To use the Network Load Balancer that you set up in the previous step as an endpoint for private connectivity, you can enable AWS PrivateLink. This establishes a private connection to your load balancer as an endpoint service.

I m confused on to why I needed a private connectivity to my NLB , as per definition - AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet. I am exposing NLB to the public internet and I am trying to understand whether or not I can use https listener rules on ALB.

You need 2 listeners on the NLB and 2 ALB Target groups:

TCP 80 Listener on the NLB forwards traffic to TCP 80 ALB Target group. TCP 443 Listener on the NLB forwards traffic to TCP 443 ALB Target group.

Then you can have HTTP to HTTPS redirect on the ALB level.

Works for me.