How do I attach backend instances with private IP addresses to my internet-facing load balancer in ELB?
Last updated: 2022-08-03
I have an internet-facing load balancer. I want to attach backend Amazon Elastic Compute Cloud (Amazon EC2) instances located in a private subnet. How can I do this using Elastic Load Balancing?
To attach Amazon EC2 instances located in a private subnet, create public subnets in the same Availability Zones as the private subnets used by the backend instances. Then, associate the public subnets with your load balancer.
Create public subnets for your backend instances
- Create a public subnet in each Availability Zone that your backend instances are located. If you have more than one private subnet in the same Availability Zone, create only one public subnet for that Availability Zone.
- Confirm that each public subnet has a CIDR block with a bitmask of at least /27 (for example, 10.0.0.0/27).
- Confirm that each subnet has at least eight free IP addresses.
Example: Public subnet (Application Load Balancer subnet) needs a CIDR block with a bitmask of at least /27:
- Public subnet in AZ A: 10.0.0.0/24
Private subnet in AZ A: 10.1.0.0/24
- Public subnet in AZ B: 10.2.0.0/24
Private subnet in AZ B: 10.3.0.0/24
Configure your load balancer
- Open the Amazon EC2 console.
- Associate the public subnets with your load balancer (see Application Load Balancer, Network Load Balancer, or Classic Load Balancer).
- Register the backend instances with your load balancer (see Application Load Balancer, Network Load Balancer, or Classic Load Balancer).
Configure your load balancer's security group and network access control list (ACL) settings
- Your load balancer has open listener ports and security groups that allow access to the ports.
- The security group for your instance allows traffic on instance listener ports and health check ports from the load balancer.
- The load balancer security group allows inbound traffic from the client.
- The load balancer security group allows outbound traffic to the instances and the health check port.
Add a rule on the instance security group to allow traffic from the security group assigned to the load balancer. For example, consider you had the following:
- Load Balancer security group is sg-1234567a.
- Ingress rule is HTTP TCP 80 0.0.0.0/0
- Instance Security group is sg-a7654321
- Ingress rule is HTTP TCP 80 sg-1234567a
Your rule would look similar to this:
Then, review the recommended network ACL rules for your load balancer. These recommendations apply to both Application Load Balancers and Classic Load Balancers.
If you're using Network Load Balancers, review Troubleshoot your Network Load Balancer and Target security groups for configuration details. Confirm that the backend instance's security group allows traffic to the target group's port from either:
- Client IP addresses (if targets are specified by instance ID)
- Load balancer nodes (if targets are specified by IP address)