2

I am running my tasks (in public subnets) using AWS Fargate, and an Internet-facing NLB distributes the traffic to all the available tasks through a target group. I have a security group added to the service that only allows the the NLB's IP. We are planning to use cloudflare as a reverse proxy for all the traffic coming to this NLB. How do I whitelist the cloudflare IPs so that no one else can reach this NLB?

If you're using a Network Load Balancer, update the security groups for your target instances because Network Load Balancers don't have associated security groups.

  • If your target type is an IP, add a rule to your security group to allow traffic from your load balancer's IP address to the target IP address.

  • If your target type is an instance, add a rule to your security group to allow traffic from your load balancer's IP address and clients to the target IP address.

I think it's not possible to add a security group to an NLB. Ref: https://aws.amazon.com/premiumsupport/knowledge-center/security-group-load-balancer/

If I add the cloudflare IPs to the security group of the service then wouldn't it prevent the load balancers from making a connection, or is the IP of the actual client forwarded till here?

Saif
  • 2,530
  • 3
  • 27
  • 45
  • You are correct. No SGs for NLB. But you use your subnet's ACLs instead. – Marcin Jun 11 '22 at 07:38
  • @saif, did you end up implementing that stragegy? If yes, did you see any problems with the NLB routing? I am asking that because I have been using NLB and it appears to not do a good traffic distributions across all available machines when the universe of source IPs are only a few. (even though I do not have stickiness enabled) – rsc Mar 17 '23 at 02:27

1 Answers1

3

You would need to enable Client IP preservation in the Target Group of the Network Load Balancer. Then in the security group of your target(s) (your ECS service, EC2 instance, etc..) you would allow those specific IPs.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • Do I also need to configure the NACL in any specific way? – Saif Jun 11 '22 at 14:14
  • and do I also need to add the IP of the NLB for the health check? – Saif Jun 11 '22 at 14:37
  • 1
    My answer is how you would do this purely with security groups, instead of NACL. And yes, you may have to add the NLB IP (or just your private CIDR range) in order for health checks to work. – Mark B Jun 11 '22 at 15:40
  • In addition to @MarkB's great answer, you will also need to allow ingress to the port through which the task container receives traffic. For example: if your NLB listens to port 22 and routes TCP traffic to port 2022 in the container, the SG ingress rule has to allow ingress from the client IP address to port 2022 instead of 22. – emyller Nov 16 '22 at 05:13