By using AWS re:Post, you agree to the AWS re:Post Terms of Use

My Network Load Balancer is not enforcing the target Security group

0

Hello:

I came upon a problem when setting up my service behind a Network Load Balancer. I'm sure I'm missing something but I can't seem to find it. This is what I want: A service running in a EC2 instance (say port 1883) and a network load balancer in front with a DNS alias for a nice name. I want to access the service only from a specific list of sources (whitelisted in the EC2 security groups)

WHITELISTED IP ---> DNS Alias --> NETWORK LB --> TARGET GROUP --> EC2 INSTANCE

Based on this guide: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-register-targets.html the ec2 instance has the following security groups:

  • A list of authorized Ips for the service port
  • The Network Load Balancer IPs for the healthcheck port (same port, actually)
  • The default security group that allows traffic to all ips in the same group.

I'm using the VPC's default ACL.

When I access the service directly via it's IP address, the security works as expected: allowing only the authorized ips and blocking everything else.

But when I access the service via the NLB, It seems to be open to all the internet. It allows traffic from every IP I test.

Why is the NLB not enforcing the rules from the EC2's Security Groups? What am I missing?

Any advise will be greatly appreciated.

asked 5 years ago1.3K views
2 Answers
0

Hi,
When you create your Network Load Balancer, in "Step 3: Configure Routing", for "Target type", you need to select "Instance". If you select "IP", your source IP will NOT be preserved.
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html

Source IP Preservation
If you specify targets using an instance ID, the source IP addresses of the clients are preserved and provided to your applications.

If you specify targets by IP address, the source IP addresses are the private IP addresses of the load balancer nodes. If you need the IP addresses of the clients, enable Proxy Protocol and get the client IP addresses from the Proxy Protocol header.

Hope this helps,
-randy

EXPERT
answered 5 years ago
profile picture
EXPERT
reviewed 8 months ago
profile picture
EXPERT
reviewed 10 months ago
0

Thank you, that solved the problem.

answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions