2 Answers
- Newest
- Most votes
- Most comments
1
You should set your ALB's security group inbound rules to accept HTTP/S traffic only from the security group that is associated to the NLB.
This way the ALB will only accept inbound traffic from the NLB regardless the source IP (it will take care to allow both the health checks originated from the NLB network interfaces IP and the traffic originated by the clients that the NLB preserves.
answered a month ago
0
This article should help: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html.
I would do as follows:
Security group for public ALB: Inbound :NLB client IP, 443, VPC Cidr of the NLB Outbound: instances behind ALB
Relevant content
- Accepted Answerasked 2 years ago
- asked 7 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
Doesn't the NLB preserve the source IP?
It does but I think it depends on how you then register the target: https://repost.aws/knowledge-center/elb-capture-client-ip-addresses.
For Network Load Balancers, register your targets by instance ID to capture client IP addresses without additional web server configuration. For instructions, see Target group attributes instead of the following resolutions.
For Network Load Balancers when you can register only IP addresses as targets, activate proxy protocol version 2 on the load balancer. For instructions, see Enable proxy protocol instead of the following resolutions.