How do I attach backend instances with private IP addresses to my internet-facing load balancer in ELB?

Last updated: 2021-03-01

I have an internet-facing load balancer. I want to attach backend Amazon Elastic Compute Cloud (Amazon EC2) instances located in a private subnet. How can I do this using Elastic Load Balancing?

Short description

To attach Amazon EC2 instances located in a private subnet, create public subnets in the same Availability Zones as the private subnets used by the backend instances. Then, associate the public subnets with your load balancer.


Before you begin, note the Availability Zone of each Amazon EC2 Linux or Amazon EC2 Windows instance that you're attaching to your load balancer.

Create public subnets for your backend instances

  1. Create a public subnet in each Availability Zone that your backend instances are located. If you have more than one private subnet in the same Availability Zone, create only one public subnet for that Availability Zone.
  2. Confirm that each public subnet has a CIDR block with a bitmask of at least /27 (for example,
  3. Confirm that each subnet has at least eight free IP addresses.

Configure your load balancer

  1. Open the Amazon EC2 console.
  2. Associate the public subnets with your load balancer (see Application Load Balancer, Network Load Balancer, or Classic Load Balancer).
  3. Register the backend instances with your load balancer (see Application Load Balancer, Network Load Balancer, or Classic Load Balancer).

Configure your load balancer's security group and network access control list (ACL) settings

Review the recommended security group settings for Application Load Balancers or Classic Load Balancers. Be sure that:

  • Your load balancer has open listener ports and security groups that allow access to the ports.
  • The security group for your instance allows traffic on instance listener ports and health check ports from the load balancer.
  • The load balancer security group allows inbound traffic from the client.
  • The load balancer security group allows outbound traffic to the instances and the health check port.

Add a rule on the instance security group to allow traffic from the security group assigned to the load balancer. For example:

Type Protocol Port Range Source
HTTP TCP 80 sg-1234567a

Then, review the recommended network ACL rules for your load balancer. These recommendations apply to both Application Load Balancers and Classic Load Balancers.

If you're using Network Load Balancers, review Troubleshoot your Network Load Balancer and Target security groups for configuration details. Confirm that the backend instance's security group allows traffic to the target group's port from either:

  • Client IP addresses (if targets are specified by instance ID)
  • Load balancer nodes (if targets are specified by IP address)