Search code examples
amazon-web-servicesyamlaws-cloudformationapi-gatewaynetwork-load-balancer

Unable to Attach Multiple Security Groups to a Single Network Load Balancer in AWS API Gateway

I'm trying to set up a Network Load Balancer (NLB) in AWS and associate it with multiple security groups. I'm using AWS CloudFormation with a YAML template to configure the NLB. However, I encounter an issue where the NLB does not seem to associate with more than one security group.

Example

Here is what I have tried so far:

  • Created a Network Load Balancer using the AWS Management Console.
  • Attempted to attach multiple security groups to the NLB.
Resources:
  MyNetworkLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: my-nlb
      Type: network
      Subnets:
        - subnet-0abc123456def7890
        - subnet-0abc123456def7891
      SecurityGroups:
        - sg-0abc123456def7890
        - sg-0abc123456def7891

  MyTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      Name: my-target-group
      Port: 80
      Protocol: TCP
      VpcId: vpc-0abc123456def7890

  MyListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref MyTargetGroup
      LoadBalancerArn: !Ref MyNetworkLoadBalancer
      Port: 80
      Protocol: TCP

What I Tried:

  • Verified that the subnets and security groups exist and are properly configured.
  • Ensured that the VPC is correctly set up.
  • Attempted to manually associate the security groups through the AWS Management Console, which works, but not through the CloudFormation template.

I expected the NLB to be created with both security groups (sg-0abc123456def7890 and sg-0abc123456def7891) associated with it as specified in the YAML file. This should allow the NLB to follow the rules defined in both security groups.

Solution

  • For a Network Load Balancer in AWS CloudFormation, the SecurityGroups property does not apply since NLBs do not associate with security groups. Security groups are used with Application Load Balancers and Classic Load Balancers only.

    Network Load Balancers operate at the Layer 4 of the OSI model (Transport Layer) and are not associated with security groups. Instead, you must ensure that the security groups are correctly configured on the instances behind the NLB.

    Since Network Load Balancers (NLBs) do not support security groups, you need to remove the SecurityGroups property from your AWS::ElasticLoadBalancingV2::LoadBalancer resource. Here's the updated CloudFormation template:

    Resources:
  MyNetworkLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: my-nlb
      Type: network
      Subnets:
        - subnet-0abc123456def7890
        - subnet-0abc123456def7891

  MyTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      Name: my-target-group
      Port: 80
      Protocol: TCP
      VpcId: vpc-0abc123456def7890

  MyListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref MyTargetGroup
      LoadBalancerArn: !Ref MyNetworkLoadBalancer
      Port: 80
      Protocol: TCP

    In this updated template:

    • The SecurityGroups property has been removed from the MyNetworkLoadBalancer resource, as it is not applicable for Network Load Balancers.
    • The MyTargetGroup and MyListener resources remain unchanged, as they are configured correctly for use with a Network Load Balancer.

    You need to attache your security group

    • sg-0abc123456def7890
    • sg-0abc123456def7891

    with the resources which hold under targets.