How do I attach backend instances with private IP addresses to my internet-facing load balancer in ELB?

4 minute read

I have an internet-facing load balancer. I want to attach backend Amazon Elastic Compute Cloud (Amazon EC2) instances located in a private subnet.

Short description

To attach Amazon EC2 instances that are located in a private subnet, first create public subnets. These public subnets must be in the same Availability Zones as the private subnets that are used by the backend instances. Then, associate the public subnets with your load balancer.

Note: Your load balancer establishes a connection with its target privately. To download software or security patches from the internet, use a NAT gateway rule on the target instance's route table to allow internet access.


Before you begin, note the Availability Zone of each Amazon EC2 Linux or Amazon EC2 Windows instance that you're attaching to your load balancer.

Create public subnets for your backend instances

1.    Create a public subnet in each Availability Zone that your backend instances are located. If you have more than one private subnet in the same Availability Zone, then create only one public subnet for that Availability Zone.

2.    Confirm that each public subnet has a CIDR block with a bitmask of at least /27 (for example,

3.    Confirm that each subnet has at least eight free IP addresses.

Example: Public subnet (Application Load Balancer subnet) needs a CIDR block with a bitmask of at least /27:

  • Public subnet in AZ A:
    Private subnet in AZ A:

  • Public subnet in AZ B:
    Private subnet in AZ B:

Configure your load balancer

1.    Open the Amazon EC2 console.

2.    Associate the public subnets with your load balancer (see Application Load Balancer, Network Load Balancer, or Classic Load Balancer).

3.    Register the backend instances with your load balancer (see Application Load Balancer, Network Load Balancer, or Classic Load Balancer).

Configure your load balancer's security group and network access control list (ACL) settings

Review the recommended security group settings for Application Load Balancers or Classic Load Balancers. Be sure that:

  • Your load balancer has open listener ports and security groups that allow access to the ports.
  • The security group for your instance allows traffic on instance listener ports and health check ports from the load balancer.
  • The load balancer security group allows inbound traffic from the client.
  • The load balancer security group allows outbound traffic to the instances and the health check port.

Add a rule on the instance security group to allow traffic from the security group that's assigned to the load balancer. For example, you have the following:

  • Load Balancer security group is sg-1234567a
  • Ingress rule is HTTP TCP 80
  • Instance Security group is sg-a7654321
  • Ingress rule is HTTP TCP 80 sg-1234567a

In this case, your rule looks similar to the following:

TypeProtocolPort RangeSource

Then, review the recommended network ACL rules for your load balancer. These recommendations apply to both Application Load Balancers and Classic Load Balancers.

If you're using Network Load Balancers, then review Troubleshoot your Network Load Balancer and Target security groups for configuration details. Confirm that the backend instance's security group allows traffic to the target group's port from either:

  • Client IP addresses (if targets are specified by instance ID)
  • Load balancer nodes (if targets are specified by IP address)

Related information

How Elastic Load Balancing works

Amazon EC2 security groups for Linux instances

Amazon EC2 security groups for Windows instances

AWS OFFICIALUpdated a year ago