By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Security group for public ALB when it is a target for private NLB

0

What should be my security group rule when Internet-facing ALB is introduced as a target to private NLB?

This documentation (https://docs.aws.amazon.com/elasticloadbalancing/latest/network/application-load-balancer-target.html) states that the security group should allow traffic from Client's computer. In my case, the client will be APIGW + VPC Link

APIGW -> VPC Link -> Private NLB -> Public ALB

Topics
Networking & Content DeliveryAWS Well-Architected Framework
Tags
Amazon VPCNetworking & Content DeliveryElastic Load BalancingSecuritySecurity Group
Language
English
Exter
asked a year ago820 views
2 Answers
1

You should set your ALB's security group inbound rules to accept HTTP/S traffic only from the security group that is associated to the NLB.

This way the ALB will only accept inbound traffic from the NLB regardless the source IP (it will take care to allow both the health checks originated from the NLB network interfaces IP and the traffic originated by the clients that the NLB preserves.

profile pictureAWS
EXPERT
Yaniv Rozenboim
answered a year ago
profile pictureAWS
EXPERT
Tushar_J
reviewed a year ago
0

This article should help: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html.

I would do as follows:

Security group for public ALB: Inbound :NLB client IP, 443, VPC Cidr of the NLB Outbound: instances behind ALB

profile picture
EXPERT
Antonio_Lagrotteria
answered a year ago
profile picture
EXPERT
Mina Gobrial - OptimeCloud
reviewed a year ago
  • Exter
    a year ago

    Doesn't the NLB preserve the source IP?

  • Antonio_Lagrotteria EXPERT
    a year ago

    It does but I think it depends on how you then register the target: https://repost.aws/knowledge-center/elb-capture-client-ip-addresses.

    For Network Load Balancers, register your targets by instance ID to capture client IP addresses without additional web server configuration. For instructions, see Target group attributes instead of the following resolutions.

    For Network Load Balancers when you can register only IP addresses as targets, activate proxy protocol version 2 on the load balancer. For instructions, see Enable proxy protocol instead of the following resolutions.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content