AWS NLB in public subnets with EC2 in private subnets

Luis picture Luis · Feb 14, 2018 · Viewed 13.3k times · Source

Has someone configured a NLB in the public subnets of your VPC to route traffic to EC2 instances that are in the private subnets?

When using an ELB, a good solution is to create a Security Group for the ELB and then create another SecurityGroup for the private EC2 Instances, allowing incoming traffic from that ELB Security Group, as explained here:

https://aws.amazon.com/premiumsupport/knowledge-center/public-load-balancer-private-ec2/

"You can also add a rule on the instance’s security group to allow traffic from the security group assigned to the load balancer. For example, if the security group on the load balancer is sg-1234567a, make the following changes on the security group associated with the private instances"

Since you cannot associate a Security Group to a NLB, how could you accomplish this with the same type of security?

Thanks!

Answer

Stephen Eilert picture Stephen Eilert · Jul 25, 2018

Since you cannot associate a Security Group to a NLB, how could you accomplish this with the same type of security?

The security aspect does not change.

NLB is a different beast, it not the same as classic Load Balancers. For Classic Load Balancers, from the point of view of your instances, traffic does appear to come from inside the VPC. From outside, traffic goes to a (random and mutating) list of IP addresses, resolved by the DNS record that AWS provides to you.

Network Load Balancers are completely different. From the point of view of your instances, they are completely invisible. If it is an external network load balancer, traffic appears to be coming from instances on the internet directly (even though this is an illusion). Therefore, if you want to talk to everyone on the internet, 0.0.0.0/0 is what you open it to.

This is, in fact, what the documentation says:

https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-register-targets.html#target-security-groups

Recommended Rules

Inbound Source      Port Range        Comment
Client IP addresses instance listener Allow traffic from clients on the instance listener port

VPC CIDR            health check      Allow traffic from the load balancer on the health check port

Client IP addresses is whatever your client IPs are. If they are on the open internet, 0.0.0.0/0 it is. Adding the NLB private IP address, as I saw in other responses, accomplishes nothing. Traffic is not coming from there, as far as the instances are concerned.

On the security angle, nothing changes. Since your instances are in private subnets, traffic cannot flow directly to them, as there is a NAT gateway in the middle. It can only flow from them to the internet (through NAT gateway, then internet gateway). Even if you specify all traffic is allowed from everywhere, traffic still won't come. It will have to come through another way. In your case, that way is the NLB, which has a fixed number of ports it listens to, and only sends traffic to the destination ports on the instances you specify.

If you are moving from classic Load Balancers to NLBs, move the security group rules from the Load Balancer to your instances. Or better yet, since you can have multiple security groups, just add the SG you currently have for the classic LB to the instances(and update any ASGs as needed). Your security posture will be exactly the same. With the added benefit that now your applications won't need things like proxy protocol to figure out where traffic is coming from, it is no longer obfuscated by the load balancer.