amazon-web-servicesamazon-ecsaws-fargateaws-elbaws-nlb

How to only allow a few IPs to reach a AWS Network Load Balancer?


I am running my tasks (in public subnets) using AWS Fargate, and an Internet-facing NLB distributes the traffic to all the available tasks through a target group. I have a security group added to the service that only allows the the NLB's IP. We are planning to use cloudflare as a reverse proxy for all the traffic coming to this NLB. How do I whitelist the cloudflare IPs so that no one else can reach this NLB?

If you're using a Network Load Balancer, update the security groups for your target instances because Network Load Balancers don't have associated security groups.

  • If your target type is an IP, add a rule to your security group to allow traffic from your load balancer's IP address to the target IP address.

  • If your target type is an instance, add a rule to your security group to allow traffic from your load balancer's IP address and clients to the target IP address.

I think it's not possible to add a security group to an NLB. Ref: https://aws.amazon.com/premiumsupport/knowledge-center/security-group-load-balancer/

If I add the cloudflare IPs to the security group of the service then wouldn't it prevent the load balancers from making a connection, or is the IP of the actual client forwarded till here?


Solution

  • You would need to enable Client IP preservation in the Target Group of the Network Load Balancer. Then in the security group of your target(s) (your ECS service, EC2 instance, etc..) you would allow those specific IPs.