My Network Load Balancer is not enforcing the target Security group

Hello:

I came upon a problem when setting up my service behind a Network Load Balancer. I'm sure I'm missing something but I can't seem to find it. This is what I want: A service running in a EC2 instance (say port 1883) and a network load balancer in front with a DNS alias for a nice name. I want to access the service only from a specific list of sources (whitelisted in the EC2 security groups)

WHITELISTED IP ---> DNS Alias --> NETWORK LB --> TARGET GROUP --> EC2 INSTANCE

Based on this guide: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-register-targets.html the ec2 instance has the following security groups:

• A list of authorized Ips for the service port
• The Network Load Balancer IPs for the healthcheck port (same port, actually)
• The default security group that allows traffic to all ips in the same group.

I'm using the VPC's default ACL.

When I access the service directly via it's IP address, the security works as expected: allowing only the authorized ips and blocking everything else.

But when I access the service via the NLB, It seems to be open to all the internet. It allows traffic from every IP I test.

Why is the NLB not enforcing the rules from the EC2's Security Groups? What am I missing?

Any advise will be greatly appreciated.