We have a network load balancer in AWS with client IP preservation enabled (this is required). The NLB does not have any security group associated. So we will authorize in the security group of the target instances the client IPs.
But that does not make sense for us to authorize the flow to the NLB as well as to the target instances.
Is there anything we could do to prevent the client connecting directly to the target instances ?
2
Answers
Put the target instances in a private subnet so they can’t be accessed directly.
As Mark suggested, you can put target instance in private subnet.
Or now AWS NLB supports security groups but only newly created NLB supports SG.
Reference link: https://aws.amazon.com/about-aws/whats-new/2023/08/network-load-balancer-supports-security-groups/