Network load balancer can't put it private

0

Hello,

I am using a network load balancer (NLB) and I have an issue. I would like my NLB to be accessible only by my EC2 instances within my VPC. The problem is that I can access the NLB by setting 0.0.0.0/0 in my security group. If I do that, my NLB is visible to the public, which I do not want.

How can I resolve this problem?

Thank you

3 Answers
2
Accepted Answer

It'd be best that you recreate your NLB, place it in a private subnet, and set the NLB's type as "internal" instead of "internet-facing". In addition to preventing connections from the outside, it'll save a bit of money in not allocating public IPv4 addresses for your NLB.

Additionally, in the security group you attach to the NLB, you should only permit inbound traffic from the CIDR (IP address block) of your VPC. You can see the CIDR, such as 10.123.0.0/22), in the VPC console, in the properties of your VPC. Allowing inbound traffic only from the VPC's CIDR will be effective in blocking traffic from elsewhere, regardless of whether the NLB has public IPs or not.

EXPERT
Leo K
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
profile picture
EXPERT
Sandeep
reviewed 3 months ago
profile picture
EXPERT
reviewed 3 months ago
profile pictureAWS
EXPERT
reviewed 3 months ago
  • Thanks for your answer.

    OK i will try to recreate NLB to see.

    And i have CIDR like 20.1.0.0/16, If I put it in inbound traffic isn't working .. i noticed that my public IP was used

  • The typical reason it wouldn't work when the NLB has public IPs is that traffic to the NLB's public IPs wouldn't be routed directly to the NLB, but instead to a NAT gateway. It would then use the NAT gateway's IP address to connect to the NLB. In this scenario, you would additionally need to permit the elastic IPs of your NAT gateways, but this isn't needed when the NLB is made internal-only.

0

Hi,

You can assign a sec group to the NLB itself: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-security-groups.html

If you create one, you can use it to limit access to only machines on your VPC.

Best,

Didier

profile pictureAWS
EXPERT
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
0

Thanks @Leo K & @Didier Durand.

We can close this topic

Alex
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions