5

I have configured a cloud with following configuration

  1. VPC with a public and private subnet in two availability zones. Public subnet has an internet gateway and private subnet has a NAT gateway configured
  2. An internet-facing Network Load Balancer allowing TCP traffic configured in both availability zones
  3. A target group to forward traffic from the load balancer
  4. An EC2 instance in private subnet configured with haproxy listening at port 80. It's security group is configured to accept TCP traffic at port 80 from both the subnets in which NLB is configured
  5. Added this instance to the target group, the status is healthy

When I try to hit the NLB DNS it is giving me 'Connection timed-out' error. I am expecting that when I hit NLB DNS it should forward me to the private instance. I have checked many AWS documents such as this link but still cannot find the resolution to this issue. Please feel free to ask for more information if this is not sufficient.

bot
  • 1,293
  • 3
  • 17
  • 34

1 Answers1

11

It's security group is configured to accept TCP traffic at port 80 from both the subnets in which NLB is configured

When targets are registered by instance-id, the security group for instances behind an Internet-facing NLB need to allow traffic from 0.0.0.0/0 -- or whatever range of public IP addresses need to access them through the balancer -- not just the subnets of the balancer (which are needed for health-checks).

If your target type is an instance, add a rule to your security group to allow traffic from your load balancer and clients to the target IP.

https://aws.amazon.com/premiumsupport/knowledge-center/security-group-load-balancer/

Unlike ALB and Classic balancers, NLB traffic has the source address of the external client when the targets are configured by instance-id, and this is the address the security group is matching against.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
  • 1
    It worked. I configured my ip in the security group of the instance. So, I have to add 0.0.0.0 in the security group if I want to allow NLB access from anywhere. I am trying to create a secure connection where my instance is compleltely private. If I open HTTP traffic from anywhere for this instance in private subnet, how will I fulfill security requirements? – bot Mar 14 '19 at 20:17
  • 2
    @bot if your instance is on a private subnet and does not have a public IP address (there would be no point -- it's on a private subnet), then this configuration accomplishes that: the instance is only accessible via the NLB. Of course, if you are doing HTTP, HAProxy works perfectly well behind an ALB too, and with that setup you can have the more conventional setup where the balancer has its own SG and the instance SG only allows traffic from the ALB. You don't need NLB here unless you are doing something advanced, like mTLS. – Michael - sqlbot Mar 14 '19 at 20:25
  • Thank you for the extra piece of information. It is helpful. – bot Mar 14 '19 at 20:53
  • 1
    Thank you so much for the information, which is not easy to find in AWS docs. To be honest I can't understand why I the security group needs to allow traffic from the NLB as well as the clients. – Eric Xin Zhang Jul 05 '19 at 10:00
  • 1
    Because the NLB forwards the requests preserving the clients' IP addresses – Javi Sep 07 '21 at 22:32