- Newest
- Most votes
- Most comments
It'd be best that you recreate your NLB, place it in a private subnet, and set the NLB's type as "internal" instead of "internet-facing". In addition to preventing connections from the outside, it'll save a bit of money in not allocating public IPv4 addresses for your NLB.
Additionally, in the security group you attach to the NLB, you should only permit inbound traffic from the CIDR (IP address block) of your VPC. You can see the CIDR, such as 10.123.0.0/22), in the VPC console, in the properties of your VPC. Allowing inbound traffic only from the VPC's CIDR will be effective in blocking traffic from elsewhere, regardless of whether the NLB has public IPs or not.
Hi,
You can assign a sec group to the NLB itself: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-security-groups.html
If you create one, you can use it to limit access to only machines on your VPC.
Best,
Didier
Relevant content
- asked 13 days ago
- asked 4 months ago
AWS OFFICIALUpdated 11 days ago- AWS OFFICIALUpdated 2 years ago
- How do I delete my Network Load Balancer that's associated with VPC endpoint services (PrivateLink)?AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a month ago
Thanks for your answer.
OK i will try to recreate NLB to see.
And i have CIDR like 20.1.0.0/16, If I put it in inbound traffic isn't working .. i noticed that my public IP was used
The typical reason it wouldn't work when the NLB has public IPs is that traffic to the NLB's public IPs wouldn't be routed directly to the NLB, but instead to a NAT gateway. It would then use the NAT gateway's IP address to connect to the NLB. In this scenario, you would additionally need to permit the elastic IPs of your NAT gateways, but this isn't needed when the NLB is made internal-only.