3

In the doc: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html It syas the following when editting the security group of load balancers:

Update the associated security groups
You can update the security groups associated with your load balancer at any time.

To update security groups using the console:

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. On the navigation pane, under LOAD BALANCING, choose Load Balancers.

3. Select the load balancer.

4. On the Description tab, under Security, choose Edit security groups.

5. To associate a security group with your load balancer, select it. To remove a security group from your load balancer, clear it.

6. Choose Save.

However, for my Network Load Balancer, I cannot select the "Edit security groups" option. It is greyed out:

enter image description here

How to edit its security group then?

Currently requests to the NLB cannot be delivered to the EC2 instance in the target group, because of security group configurations.

Why can't I edit??

Kid_Learning_C
  • 2,605
  • 4
  • 39
  • 71

1 Answers1

4

No, Network Load Balancers do not have security groups. You should add Security Groups directly to the EC2 targets based on IP addresses or CIDR blocks.

See: Target Security Groups - Elastic Load Balancing

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
b0tting
  • 577
  • 2
  • 7
  • 1
    To clarify: the source IP is preserved from the NLB, so you need to configure client IP ranges directly on the security groups on your EC2, as if the NLB is not there. Clients connect to the NLB IP though. – b0tting Dec 27 '21 at 10:19
  • you said "configure...as if the NLB is not there". I am hosting backend api services in EC2 instance. So, I have to configure my instance's security group such that it allows connections from the public internet? That is not safe. I want to allow traffic from only my AWS API Gateway or NLB to visit my EC2 instance on port 3000. The NLB has no IP address (I cannot find one on the description). – Kid_Learning_C Dec 27 '21 at 10:51
  • 1
    If you have NLB, you will have to set up VPCLink your API Gateway. Your traffic wont come from the public internet when it reaches the NLB, it will come from the API gateway. – Ervin Szilagyi Dec 27 '21 at 11:04
  • @ErvinSzilagyi Yes, there is no problem with traffic coming from the API gateway to the NLB. The problem is how to configure EC2 instance security group to accept such traffic. – Kid_Learning_C Dec 27 '21 at 11:41
  • 1
    You put the load balancer and the application on different subnets. On the SG for your app, you allow traffic only from the subnet where the NLB is sitting. More reading: https://aws.amazon.com/blogs/compute/understanding-vpc-links-in-amazon-api-gateway-private-integrations/ And for recommendation for SG rules: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-register-targets.html – Ervin Szilagyi Dec 27 '21 at 11:50
  • if the security group ingress for your ec2 instances only allow traffic from certain ips, does one of those ips need to be the load balancer? – mike01010 Aug 09 '23 at 05:17