stackoom
  简体   繁体   中英

Configuring internal network load balancer with EC2 instance in private VPC

 原文  2018-09-18 03:34:29       amazon-web-services/ nlb

Question

I created an internal network load balancer (NLB) to connect to EC2 instances on a private subnet. I want to restrict access to the EC2 instances only from the network load balancer. I used these instructions https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-register-targets.html#target-security-groups but it did not work.

Basically, I added the IP address of the network interface of the NLB to the security group with my specific port (eg: 8080 10.4.2.9/32) allowed but that did not work. When i switched to all allow (eg: 8080 0.0.0.0/32) it worked, but i do not want other instances to have access to the ec2 instance.

Any ideas on why this is not working? Thanks

2 answers

solution1
 1  2018-09-18 05:25:44

For what you are trying to accomplish, NLB is the wrong load balancer.

NLB is a layer 4 load balancer. This means that the IP address that you see (at the EC2 instance) is the IP address of the client and not the IP address of the load balancer. With NLB you must allow the client's IP address in your security group.

You want a layer 7 load balancer to implement what you want to do (block other systems in your VPC from accessing your EC2 instances directly). This means ALB or the classic ELB.

solution2
 1  2018-09-18 05:44:01

If you're using a Network Load Balancer, update the security groups for your target instances , because Network Load Balancers do not have associated security groups.

  • If your target type is an IP, add a rule to your security group to allow traffic from your load balancer to the target IP.

  • If your target type is an instance, add a rule to your security group to allow traffic from your load balancer and clients to the target IP.

  • You can allow traffic in the EC2 instance security group. As your instance is in private subnet for that you need to lunch load balancer in the same region but in public subnet.

Know about your use case first.

Best use cases for Network Load Balancer:

  • When you need to seamlessly support spiky or high-volume inbound TCP requests.
  • When you need to support a static or elastic IP address.
  • If you are using container services and/or want to support more than one port on an EC2 instance. NLB is especially well suited to ECS (The Amazon EC2 Container Service).

security-group-load-balancer

new-network-load-balancer-effortless-scaling-to-millions-of-requests-per-second

what-is-a-network-load-balancer

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS Network Load Balancer failed to connect with EC2 instance if EC2 instance is not open to public How do I connect a public-facing load balancer to EC2 instances in a private VPC EC2 Load Balancer Instance Protocol and Port Configuring ssl on aws ec2 with elastic load balancer service unavailable? SSH'ing into AWS EC2 Instance located in Private Subnet in a VPC AWS - Cannot ping EC2 instance on private subnet in VPC User Data is not running on EC2 instance in Private VPC subnet Not able to access EC2 instance in same VPC via private IP Routing for private EC2 instances behind Load Balancers in a VPC AWS beanstalk EC2 instance within a VPC and without Load Balancing
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM