0

Decided to move a couple of internal LBs from classic to network ELB. And I have noticed that NetELB does not accept traffic within the scope of those rules which have as source another security group ID(rules that have IP address sources do work).

Haven't noticed anything mentioned in the official docs about this phenomena and I am wondering if this happens due to some misconfiguration, or is a real limitation of Network ELB? Maybe AWS is working on it? It would ease the migration a lot. Opening the whole VPC CIDR or entire subnets isn't so much fun, neither refactoring the existing subnets to be more granular when opening them in security groups.

Ricardo Beschieru
  • 1
  • 2

1 Answers1

1

The Network Load Balancer (NLB) is just forwarding your connection on to an appropriate listener, so you would manage the security group on the listeners.

Take a look at the 2017 reInvent session "Tuesday Night Live" for details on Hyperplane, which is how the NLB (and other services) are actually implemented.

chris
  • 3,993
  • 6
  • 28
  • 37
  • 1
    Here are direct links to the parts of the talk on [load balancers](https://youtu.be/dfEcd3zqPOA?t=3911), [Hyperplane](https://youtu.be/dfEcd3zqPOA?t=4667) and [network load balancer](https://youtu.be/dfEcd3zqPOA?t=4806). – Tim Jun 01 '18 at 19:02
  • There's also a [deep dive on the NLB](https://www.youtube.com/watch?v=z0FBGIT1Ub4) and a [how to session](https://www.youtube.com/watch?v=ekxSiLYwHfo) – Tim Jun 01 '18 at 19:12