Why can't a target behind my Network Load Balancer connect to its own Network Load Balancer?

2 minute read
1

A target behind my Network Load Balancer is trying to connect to the same Network Load Balancer, but the connection fails. Why?

Short description

When the target of an internal Network Load Balancer establishes a TCP connection to its own Network Load Balancer, the target can get routed to itself.

Network Load Balancers preserve the source IP, so both the source and destination of the arriving packet are the private IP address of the target. Then, the host operating system sees the packet as not valid so it doesn't send response traffic, and the connection fails.

Note: This connection failure happens only when the source and the target are the same. As a result, the connection issues happen intermittently, depending on the number of targets available to the Network Load Balancer.

To correct this type of Network Load Balancer connection failure, deactivate client IP preservation for TCP and TLS target groups using the preserve_client_ip.enabled target group attribute.

Resolution

To activate or deactivate client IP preservation using the new console, do the following:

  1. Open the Amazon EC2 console.
  2. On the navigation pane, under Load Balancing, choose Target Groups.
  3. Choose the name of the target group to open its details page.
  4. On the Attributes tab, choose Edit.
  5. To activate client IP preservation, choose Preserve client IP addresses. To deactivate client IP preservation, clear Preserve client IP addresses.
  6. Choose Save changes.

If your application needs the IP addresses of the clients, activate proxy protocol support and access the client IP addresses from the proxy protocol header.


Related information

Connections time out for requests from a target to its load balancer

AWS OFFICIAL
AWS OFFICIALUpdated a year ago