How do I attach backend EC2 instances with private IP addresses to my internet-facing load balancer in ELB?

Short description

To attach backend Amazon EC2 instances in private subnets, create public subnets in the same Availability Zones. Then, associate those public subnets with your load balancer.

Note: Your load balancer establishes a connection with its target privately. To download software or security patches from the internet, use a NAT gateway rule on the target instance's route table to allow internet access.

Resolution

Before you begin, identify the Availability Zone of each EC2 instance that you plan to register with the load balancer.

Create public subnets for your EC2 backend instances

To create public subnets for EC2 backend instances, complete the following steps:

1. Create a public subnet in each Availability Zone that your backend instances are located in. If you have more than one private subnet in the same Availability Zone, then create only one public subnet for that Availability Zone.
2. Confirm that each public subnet has a CIDR block with a bitmask of at least /27 (for example, 10.0.0.0/27).
3. Confirm that each subnet has at least eight free IP addresses.
   For example, a public subnet (Application Load Balancer subnet) requires a CIDR block with a bitmask of at least /27:
   Public subnet in Availability Zone A: 10.0.0.0/24
   Private subnet in Availability Zone A: 10.1.0.0/24
   Public subnet in Availability Zone B: 10.2.0.0/24
   Private subnet in Availability Zone B: 10.3.0.0/24

Configure your load balancer

To configure your load balancer, complete the following steps:

1. Open the Amazon EC2 console.
2. In the navigation pane, under Load Balancing, choose Load Balancers. Then, select your load balancer.
3. Associate the public subnets with your load balancer. For more information, see the following:
   Configure your load balancer and listener for Application Load Balancer
   Configure your load balancer and listener for Network Load Balancer
   Configure subnets for your Classic Load Balancer for Classic Load Balancer
4. Register the backend instances with your load balancer. For more information, see the following:
   Register targets with your Application Load Balancer
   Register targets for your Network Load Balancer
   Register instances with your Classic Load Balancer

Configure your load balancer's security group and network ACL

Review the security group settings for Application Load Balancers or Classic Load Balancers. Check the following items:

• Your load balancer has open listener ports and security groups that allow access to the ports.
• The security group for your instance allows traffic on instance listener ports and health check ports from the load balancer.
• The load balancer security group allows inbound traffic from the client.
• The load balancer security group allows outbound traffic to the instances and the health check port.

Add a rule on the instance security group to allow traffic from the security group that's assigned to the load balancer. For example, you have the following parameters:

• Load balancer security group: sg-1234567a
• Ingress rule: HTTP TCP 80 0.0.0.0/0
• Instance security group: sg-a7654321
• Ingress rule: HTTP TCP 80 sg-1234567a

In this example, your rule then looks similar to the following:

• Type: HTTP
• Protocol: TCP
• Port Range: 80
• Source: sg-1234567a

Review network access control list (ACL) rules associated with the subnets that are used by the load balancer. The rules apply to both Application Load Balancers and Classic Load Balancers.

If you use Network Load Balancers, then review Troubleshoot your Network Load Balancer and Target security groups for configuration details. Confirm that the backend instance's security group allows traffic to the target group's port from either:

• Client IP addresses (when targets are specified by instance ID)
• Load balancer nodes (when targets are specified by IP address)

Related information

How Elastic Load Balancing works

Amazon EC2 security groups for your EC2 instances