How do I register an Application Load Balancer behind a Network Load Balancer?

Short description

You can't assign a static IP address to an Application Load Balancer. If your Application Load Balancer requires a static IP address, then it's a best practice to register it behind a Network Load Balancer. The static IP address that's assigned to a Network Load Balancer doesn't change and provides a fixed entry point for your Application Load Balancer.

Note: The following resolution uses the new launch experience on the Amazon Elastic Compute Cloud (Amazon EC2) console. To complete the steps, toggle on this feature in the Amazon EC2 console.

Resolution

Amazon EC2 console

Use the Amazon EC2 console to create new target groups and register your Application Load Balancer as a target. Then, create and configure a Network Load Balancer to forward traffic to your Application Load Balancer.

Create new target groups for TCP 80 and TCP 443 traffic, and register your Application Load Balancer as a target

To create new target groups and register targets for Amazon EC2 instances, complete the following steps:

1. Open the Amazon EC2 console.
2. In the navigation pane, expand Load Balancing, and then choose Target Groups.
3. Choose Create target group.
4. For Choose a target type, choose Application Load Balancer.
5. For Target group name, enter a name for the target group.
6. For Protocol, choose TCP, and then for Port, choose 80 for HTTP traffic.
7. For VPC, select the virtual private cloud (VPC) for your Application Load Balancer.
8. For Health Check protocol, choose either HTTP or HTTPS for your Application Load Balancer that returns an HTTP 200 - 399 status.
9. Choose Next.
10. For Application Load Balancer, select your Application Load Balancer.
11. Choose Create target group.
12. Repeat steps 3-11 to create an additional target group. When you repeat step 6, choose TCP protocol and Port 443 to create another target group for HTTPS traffic.

Create and configure a Network Load Balancer to forward HTTP and HTTPS traffic to your Application Load Balancer

To create and configure a Network Load Balancer to forward HTTP and HTTPS traffic to your Application Load Balancer, complete the following steps:

1. Open the Amazon EC2 console.
2. In the navigation pane, expand Load Balancing, and then choose Load Balancers.
3. Choose Create a Load Balancer.
4. For Load balancer types, choose Network Load Balancer, and then choose Create.
5. For Load balancer name, enter a name for the Network Load Balancer.
6. In Scheme, choose either Internet-facing or Internal. You can use an internal Application Load Balancer with an internet-facing Network Load Balancer.
7. For IP address type, choose IPv4.
8. For VPC, select your VPC.
9. For Mappings, choose one or more Availability Zones and subnets. Choose private subnets for internal load balancers or public subnets for internet-facing load balancers.
10. For IPv4 address, choose either Assigned by AWS or Use an Elastic IP address.
11. For Protocol, choose TCP, and then for Port, choose 80 for HTTP traffic.
12. For Default action, choose the target group that contains your Application Load Balancer as registered targets.
13. Choose Add listener, and then repeat steps 11 and 12. Choose protocol TCP and port 443 with a default action that forwards traffic to the TCP 443 target group for your Application Load Balancer.
14. Choose Create load balancer.
15. Test the load balancer.
    Note: To use HTTP to HTTPS redirects on your Application Load Balancer with this configuration, you must create two target groups. Create one Application Load Balancer target group for TCP 80 and another one for TCP 443.
    Configure your Application Load Balancer's security groups and network access control lists (network ACLs) to allow health checks from the Network Load Balancer's private IP address.

AWS CLI

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

To use the AWS CLI to register an Application Load Balancer behind a Network Load Balancer, complete the following steps:

1. Create a new target group and use the alb target type:

   aws elbv2 create-target-group \
   --name <name> \
   --protocol TCP \
   --port <port> \
   --target-type alb \
   --vpc-id <vpc_id>

   Note: Replace name with the name of your target group, port with the port number, and vpc_id with your VPC ID.
2. Register the Application Load Balancer with the target group:

   aws elbv2 register-targets \
   --target-group-arn <tg_arn from previous command> \
   --targets Id=<alb_arn>

   Note: Replace tg_arn from previous command with your target group's ARN. Replace alb_arn with the Application Load Balancer ARN.
3. Create a Network Load Balancer:

   aws elbv2 create-load-balancer \
   --name <nlb name> \
   --type network \
   --scheme internal \
   --subnets <subnet_ids>

   Note: Replace nlb_name with the name of your Network Load Balancer and subnet_ids with you subnets' IDs.
4. Create a listener:

   aws elbv2 create-listener --load-balancer-arn ${nlb1_arn} \
   --protocol TCP --port <port> \
   --default-actions Type=forward,TargetGroupArn=<target group> 

Related information

Using AWS Lambda to activate static IP addresses for Application Load Balancers

Application Load Balancer now activates AWS PrivateLink and static IP addresses by direct integration with Network Load Balancer