I have an internet-facing Elastic Load Balancing (ELB) load balancer. I want to attach backend Amazon Elastic Compute Cloud (Amazon EC2) instances located in a private subnet.
Short description
To attach EC2 instances that are located in a private subnet, first create public subnets. These public subnets must be in the same Availability Zones as the private subnets that are used by the backend EC2 instances. Then, associate the public subnets with your load balancer.
Note: Your load balancer establishes a connection with its target privately. To download software or security patches from the internet, use a NAT gateway rule on the target instance's route table to allow internet access.
Resolution
Before you begin, note the Availability Zone of each Amazon EC2 Linux or Amazon EC2 Windows instance that you're attaching to your load balancer.
Create public subnets for your EC2 backend instances
Complete the following steps:
- Create a public subnet in each Availability Zone that your backend instances are located in. If you have more than one private subnet in the same Availability Zone, then create only one public subnet for that Availability Zone.
- Confirm that each public subnet has a CIDR block with a bitmask of at least /27 (for example, 10.0.0.0/27).
- Confirm that each subnet has at least eight free IP addresses.
For example, a Public subnet (Application Load Balancer subnet) requires a CIDR block with a bitmask of at least /27:
Public subnet in AZ A: 10.0.0.0/24
Private subnet in AZ A: 10.1.0.0/24
Public subnet in AZ B: 10.2.0.0/24
Private subnet in AZ B: 10.3.0.0/24
Configure your load balancer
Complete the following steps:
- Open the Amazon EC2 console.
- In the navigation pane, under Load Balancing, choose Load Balancers and then select your load balancer.
- Associate the public subnets with your load balancer. For more information, see the following documentation:
For Application Load Balancer, see Configure your load balancer and listener
For Network Load Balancer, see Configure your load balancer and listener
For Classic Load Balancer, see Configure subnets for your Classic Load Balancer - Register the backend instances with your load balancer. For more information, see the following documentation:
For Application Load Balancer, see Register targets with your target group
For Network Load Balancer, see Register targets with your target group
For Classic Load Balancer, see Register an instance
Configure your load balancer's security group and network access control list (ACL) settings
Review the security group settings for Application Load Balancers or Classic Load Balancers. Check for the following settings:
- Your load balancer has open listener ports and security groups that allow access to the ports.
- The security group for your instance allows traffic on instance listener ports and health check ports from the load balancer.
- The load balancer security group allows inbound traffic from the client.
- The load balancer security group allows outbound traffic to the instances and the health check port.
Add a rule on the instance security group to allow traffic from the security group that's assigned to the load balancer. For example, if you have the following parameters:
- Load Balancer security group is sg-1234567a
- Ingress rule is HTTP TCP 80 0.0.0.0/0
- Instance security group is sg-a7654321
- Ingress rule is HTTP TCP 80 sg-1234567a
Then, your rule looks similar to the following:
Type: HTTP
Protocol: TCP
Port Range: 80
Source: sg-1234567a
Review the network ACL rules for your load balancer. The rules apply to both Application Load Balancers and Classic Load Balancers.
If you use Network Load Balancers, then review Troubleshoot your Network Load Balancer and Target security groups for configuration details. Confirm that the backend instance's security group allows traffic to the target group's port from either:
- Client IP addresses (when targets are specified by instance ID)
- Load balancer nodes (when targets are specified by IP address)
