amazon-web-servicesaws-api-gatewayamazon-vpcaws-security-groupnlb

Api gateway VPC link integration to a EC2 machine through the NLB not working because of the security group issue


I have a service running on the port 8080 of an EC2 machine in a private subnet. My plan is to establish a VpcLink to the private endpoint using a Network load balancer. Now the network load balancer cannot associate a security group of its own, instead the target security group will come into action here (in this case the security group of the EC2 where my service is running). I am a little confused over how does the security group of the ec2 machine looks like. I need to add a custom TCP rule which will allow traffic to port 8080, but I am confused over what IP range I can give in the source. The API gateway has no IP. Also, it is saying that

Recommended Rules
Inbound Source      Port Range        Comment
Client IP addresses instance listener Allow traffic from clients on the instance listener port

VPC CIDR            health check      Allow traffic from the load balancer on the health check port

Solution

  • Based on the comments and from the docs:

    Network Load Balancers do not have associated security groups. Therefore, the security groups for your targets must use IP addresses to allow traffic from the load balancer.

    If you register targets by IP address and do not want to grant access to the entire VPC CIDR, you can grant access to the private IP addresses used by the load balancer nodes.

    Thus, for NLB you either use CIDR range of the subnet where NLB is. Or to be more restrictive you using NLB private addresses. For the IP addresses, you can't get them from CloudFormation. Would have to write custom resources in the CloudFormation to get the IPs from NLB. As a compromise, you could put your NLB in a dedicated subnet, or the same one as instances, and used its CIDR range.