- Newest
- Most votes
- Most comments
Hello,
Starting Aug 2023 Global Accelerator supports Client IP Preservation with NLB endpoints . The error that you are experiencing could be related to NLB TLS Listener:
If you want to enable client IP address preservation when you add Network Load Balancer resources as endpoints to Global Accelerator, be aware that client IP address preservation is not supported for the following:
Network Load Balancers without security groups
Network Load Balancers with security groups that have TLS listeners attached
Network Load Balancers with security groups that perform IPv4 to IPv6 NAT translation to their EC2 targets
Reference: https://docs.aws.amazon.com/global-accelerator/latest/dg/about-endpoints.sipp.html
FYI- when using client IP preservation, a security group is needed to allow traffic from the public internet to the NLB and from the NLB to the targets servers. (You can Only associate security groups with a Network Load Balancer when you create it. If you created the NLB without associating any security groups, you can't associate them later on.)
Best practice is to add a rule to the security groups associated with your targets that references the security group associated with your Network Load Balancer. This allows clients to send traffic to your targets through your load balancer, but prevents them from sending traffic directly to your targets. Referencing the security group associated with your Network Load Balancer in the security groups associated with your targets ensures that your targets accept traffic from your load balancer even if you enable client IP preservation for your load balancer.
For more details, see: Security groups for your Network Load Balancer
Various restrictions are documented here: https://docs.aws.amazon.com/global-accelerator/latest/dg/about-endpoints.sipp-caveats.html
In particular, have you got TLS listeners on the NLB?
Relevant content
- asked 6 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago