How can I access an internal load balancer using VPC peering?
Last updated: 2020-02-20
I want to connect to a load balancer in VPC A from my instance in VPC B. How can I access an internal load balancer using VPC peering?
To access an internal load balancer in VPC A from VPC B:
- Establish connectivity between VPC A and VPC B using VPC peering.
- Enable DNS resolution from the source VPC for VPC peering.
- Establish the necessary routes, security group rules, and network access control list (ACL) rules to allow traffic between the VPCs.
Using VPC peering, you can access internal load balancers (including Classic Load Balancers, Application Load Balancers, and Network Load Balancers) from another VPC.
- Establish connectivity between your VPCs using VPC peering.
Note: VPC peering is available for intra-region and inter-region connectivity for local or cross-account VPCs.
- Verify that a route for the load balancer's subnets CIDR (or VPC CIDR) exists in the route table of the client subnet. The route must be directed towards the VPC peering ID of your VPCs. Similarly, verify that the route of the client subnet/VPC CIDR exists in the route table of the load balancer's subnets.
- Verify that DNS resolution for VPC peering is enabled from the VPC that hosts the load balancer. To check this:
Open the Amazon Virtual Private Cloud (Amazon VPC) console.
Select the respective VPC peering.
Choose Edit DNS Settings.
Confirm that DNS resolution is enabled. Be sure to enable DNS resolution from the load-balancer-hosted VPC to the client-hosted VPC. Select Requester DNS resolution or Accepter DNS resolution, as appropriate.
- Resolve the load balancer DNS name from your instance and use nslookup <load-balancer DNS name> to verify it.
- Verify that the security group and network ACL allow traffic from either the complete subnet/VPC of the instance or the specific instance IP:
In the security group of the load balancer, allow only inbound traffic on the load balancer's listener port.
For the network ACL of the subnet, allow ingress traffic from the instance IP or subnet/VPC for the load balancer's listener port. In egress, be sure that the Ephemeral port range (1024 to 65535) allows return traffic from the load balancer nodes to the instance.
Note: Modify your security groups or network ACLs, as needed. If you haven't modified the network ACLs, there's a default rule to allow all (0.0.0.0/0) traffic. In this case, you don't need to modify the network ACLs.
- Verify that traffic from the client instance is allowed to go out from the source VPC:
Check that the security group of the instance permits outbound traffic to the load balancer associated with the subnets or default (0.0.0.0/0).
For the network ACL of the subnet, verify that there’s a rule in Egress to allow traffic for the load balancer's subnets on the load balancer's listener port. In Ingress, verify that there’s a rule to allow traffic to the instance IP/subnet on Ephemeral ports for response traffic .
Note: If you haven't modified these default settings, you don't need to make any changes:
The default outbound rule (0.0.0.0/0) for the security group
The default ALLOW ALL rule for the network ACL of the subnet with the instance