Why can't a target behind my Network Load Balancer connect to its own Network Load Balancer?

Last updated: 2018-06-04

A target behind my Network Load Balancer is trying to connect to the same Network Load Balancer, but the connection fails. Why?

Short description

When the target of an internal Network Load Balancer establishes a TCP connection to its own Network Load Balancer, the target can get routed to itself.

Network Load Balancers preserve the source IP, so both the source and destination of the arriving packet are the private IP address of the target. Then, the host operating system sees the packet as invalid and fails to send response traffic, which causes the connection to fail.

Note: This connection failure happens only when the source and the target are the same. As a result, the connection issues happen intermittently, depending on the number of targets available to the Network Load Balancer.

To correct this type of Network Load Balancer connection failure, use an IP target type. With an IP target type, the target sees the IP address of the Network Load Balancer. Because the source and destination are unique, the connection succeeds.


To use an IP target type for your Network Load Balancer, follow these steps:

  1. Create a new target group for the load balancer.
  2. For Target type, choose ip.

Note: You cannot modify the target type after you create the target group.

If you're using Amazon Elastic Container Service (Amazon ECS), use the networking type "awsvpc", which provides an elastic network interface, private IP address, and private DNS name for each running task. The "awsvpc" networking type also sets the target type to "ip" in your target group.

If your application needs the IP addresses of the clients, enable Proxy protocol support and access the client IP addresses from the Proxy Protocol header.

Did this article help?

Do you need billing or technical support?