How do I connect a public-facing load balancer to EC2 instances that have private IP addresses?
Last updated: 2017-02-02
I want to create a public internet-facing load balancer and attach backend Amazon EC2 instances that are not publicly reachable; for example, instances that are in a private subnet. How can I do this?
You must create public subnets in the same Availability Zones as the private subnets that are used by your private instances. Then associate these public subnets to the internet-facing load balancer.
If a subnet’s default traffic is routed to an internet gateway, the subnet is known as a public subnet. For example, an instance launched in this subnet is publicly accessible if it has an Elastic IP address or a public IP address associated with it.
If a subnet's default traffic is routed to a NAT instance/gateway or completely lacks a default route, the subnet is known as a private subnet. For example, an instance launched in this subnet is not publicly accessible even if it has an Elastic IP address or a public IP address associated with it.
- List the Availability Zones that have the instances you want to attach to the load balancer.
- Create an equal number of public subnets in the same Availability Zones where your private instances exist. To ensure that the load balancer can scale properly, verify that each subnet for the load balancer has a CIDR block with at least a /27 bitmask (for example, 10.0.0.0/27) and has at least 8 free IP addresses. Your load balancer uses these IP addresses to establish connections with the backend instances; for more information, see VPCs and Subnets.
Note: If you have more than one private subnet in the same Availability Zone that contains instances that need to be registered with the load balancer, you only need to create one public subnet. You need only one public subnet per Availability Zone; you can add the private instances in all the private subnets that reside in that particular Availability Zone.
- From the Amazon EC2 console, create a load balancer and associate the newly created public subnets with it. For instructions, see Step 1: Select a Load Balancer Type and Step 2: Define your Load Balancer.
- Add the private instances to the load balancer; for instructions, see Step 5: Register EC2 Instances with Your Load Balancer.
- Ensure that the security group that is assigned to the load balancer has the listener ports open.
- Make sure that the security groups of the private instances allow traffic on the listener ports and the health check ports (in case the health check is not on one of the listener ports).
You can also add a rule on the instance’s security group to allow traffic from the security group assigned to the load balancer. For example, if the security group on the load balancer is sg-1234567a, make the following changes on the security group associated with the private instances:
For more information, see Amazon EC2 Security Groups for Linux Instances.