Network Load Balancers without Security Groups.

Question

Hello Experts,

I have a few Network Load Balancers in my environment which do not have any security groups attached.

Additionally, the NACLs for the subnet allow all inbound and outbound traffic. Due to this, the VPC Flow logs are recording ACCEPT on traffic that the Network Load Balancer is not listening to.

My question is: since the Network Load Balancer is configured to listen on specific ports (80 and 443), will it drop connection attempts on any other ports?

Regards,  
Rishi Kapoor

Accepted Answer

All network traffic sent to a configured listener is classified as intended traffic. Network traffic that does not match a configured listener is classified as unintended traffic. Network Load Balancers drop unintended traffic without forwarding it to any targets

https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-listeners.html

Answer

NLB will drop the traffic if there is no listener configured for that destination port and protocol.

As mentioned in the below link: "All network traffic sent to a configured listener is classified as intended traffic. Network traffic that does not match a configured listener is classified as unintended traffic. ICMP requests other than Type 3 are also considered unintended traffic. Network Load Balancers drop unintended traffic without forwarding it to any targets. TCP data packets sent to the listener port for a configured listeners that are not new connections or part of an active TCP connection are rejected with a TCP reset (RST)."

https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-listeners.html

Network Load Balancers without Security Groups.

Relevant content