amazon-web-servicesamazon-elbnlb

How to limit the access to EC2 from NLB only


Question

Is there a way to make sure accesses are coming only from a specific NLB? Under the current NLB limitations, I am not sure if there is a way.

Limitations

References

If you specify targets using an instance ID, the source IP addresses of the clients are preserved and provided to your applications.


Update

NLB now supports SG.


Solution

  • As in the AWS NLB Document - Target Security Groups, cannot identify a NLB and make sure the access is only from the NLB if target type is instance. Need to use the client IP address which accesses the NLB.

    Limits
    Network Load Balancers do not have associated security groups. Therefore, the security groups for your targets must use IP addresses to allow traffic from the load balancer.

    You cannot allow traffic from clients to targets through the load balancer using the security groups for the clients in the security groups for the targets. Use the client CIDR blocks in the target security groups instead.