2 個答案
- 最新
- 最多得票
- 最多評論
1
You should set your ALB's security group inbound rules to accept HTTP/S traffic only from the security group that is associated to the NLB.
This way the ALB will only accept inbound traffic from the NLB regardless the source IP (it will take care to allow both the health checks originated from the NLB network interfaces IP and the traffic originated by the clients that the NLB preserves.
已回答 2 個月前
0
This article should help: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html.
I would do as follows:
Security group for public ALB: Inbound :NLB client IP, 443, VPC Cidr of the NLB Outbound: instances behind ALB
相關內容
- 已提問 10 個月前
AWS 官方已更新 2 年前- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 2 年前
Doesn't the NLB preserve the source IP?
It does but I think it depends on how you then register the target: https://repost.aws/knowledge-center/elb-capture-client-ip-addresses.
For Network Load Balancers, register your targets by instance ID to capture client IP addresses without additional web server configuration. For instructions, see Target group attributes instead of the following resolutions.
For Network Load Balancers when you can register only IP addresses as targets, activate proxy protocol version 2 on the load balancer. For instructions, see Enable proxy protocol instead of the following resolutions.