- Newest
- Most votes
- Most comments
As your using a REST API, then I believe the only option would to be allow the VPC CIDR Range eg, 172.31.0.0/16 in your security group instead of 0.0.0.0/0
UPDATED
You can also DISABLE Enforce inbound rules on PrivateLink traffic via the GUI on the NLB or CLI. This means private link traffic can still connect to the NLB if you dont allow any other traffic!
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-security-groups.html
Search for Enforce inbound rules on PrivateLink traffic. ^^
If using VPC Link for HTTP APIs then,
When you create your API Gateway VPC Link, you can define which security group to attach to the connection. This creates ENI's in your VPC with the SG attached.
Then, use this Security group ID as the source on your NLB security group. This will allow access from the APi Gateway security group and not a CIDR Range
Thank You for your Prompt Response , I tried to give my VPC CIDR Range eg, 172.31.0.0/16 in My security group instead of 0.0.0.0/0 , then still it didnt Worked.! and if i do the second approach is it secure?
Relevant content
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- How do I delete my Network Load Balancer that's associated with VPC endpoint services (PrivateLink)?AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
This Method Worked for me Thank you:-
UPDATED
You can also DISABLE Enforce inbound rules on PrivateLink traffic via the GUI on the NLB or CLI. This means private link traffic can still connect to the NLB if you dont allow any other traffic!
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-security-groups.html
Search for Enforce inbound rules on PrivateLink traffic. ^^
Just to add to the answer. I believe why the CIDR Range didnt work was because of the Target Group "Preserve client IP addresses" if this is disabled then it would have worked. By Default this setting is enabled. You will have to review your use case.