I've got the following setup:
There is a internet facing Network Load Balancer sitting in front of proxy servers that have port 3128 open, specifically it's the following repo [https://github.com/zytedata/zyte-smartproxy-headless-proxy] that run behind the load balancer as containers on ecs.
I can set the security group of the containers (SG1) to listen to traffic only from the security group of the load balancer (SG2) on port 3128, that part seems to work fine.
Now what is a bit interesting is that I have another security group that is attached to another set on containers (SG3) that should access the proxy servers through the load balancers security group (SG2) so the flow of network would be:
SG3 -> SG2 -> SG1
But the only way that seems to work is when I completely open up the load balancer to accept traffic from anywhere on port 3128. When I try to restrict the traffic to come to the load balancer on port 3128 only from SG3, that does not seem to work for some reason.
Is there anything specific to the network load balancer that I might be missing that is not making this work? I've done these sorts of setups with application load balancers and haven't had this sort of problem.
The reason that I had to go with a network load balancer is that the proxy protocol didn't seem to work with an application load balancer (probably due to the application load balancer operating on layer 7 of the OSI model)
Edit: I noticed some similar question which involved public and private subnets that might have had similar problems. In my case the SG3 containers are in public EC2 instances and the SG2 of the loadbalancer is a public facing load balancer so I'm guessing that should not pose any difficulty in network activity based on public or private traffic routing
You have created a public Network Load Balancer. The network load balancer will only be accessible via its public IP address, which means any network requests to the NLB will go out of the VPC, and back in. Once the network requests go out of the VPC they lose their association with the source security group, so your security group rules referencing other security groups will not work.
If only other resources in your VPC need to access the NLB, then you should be creating a private NLB instead of a public NLB. Then you will be able to configure the security groups exactly as you describe.
If however, the NLB needs to be accessed from computers on the Internet, as well as from internal VPC resources, the you will have to make one of the following changes:
Add all the public IP addresses of your EC2 instances to the NLB's security group. If these instances are dynamically created by an auto-scaling group then this won't be possible.
Move your EC2 instances to private subnets with a route to a NAT Gateway, and add the NAT Gateway's IP address to the NLB's security group.
Create a second, private NLB with the same targets as the public NLB, and have the resources in your VPC access that NLB instead of the public one.