Your team is working on a migration project in AWS platform.
An Application Load Balancer is configured to route traffic to backend EC2 instances.
A security group is attached in the load balancer which allows the ingress traffic from a custom TCP port.
Recently, due to some project requirements, the Application Load Balancer needs to be replaced by a Network Load Balancer.
Existing configurations of the load balancer should be kept if possible.
How would you configure the security group in the new Network Load Balancer?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - A.
Network Load Balancers do not use security groups.
This is different from Classic Load Balancer or Application Load Balancer.
Refer to the document in https://aws.amazon.com/premiumsupport/knowledge-center/security-group-load-balancer/.
Option A is CORRECT: You can add rules to the security group of the target instances.
It should allow the traffic from clients.
Option B is incorrect: Refer to the above link.
Network Load Balancers do not configure security groups.
Option C is incorrect: Because users cannot apply the security group to the Network Load Balancer.
Option D is incorrect: You cannot attach the security group to the NLB listener.
Instead, you should add the security group rules in the EC2 instances.
Sure, I can provide a detailed explanation of the answer options.
A. As Network Load Balancers do not have associated security groups, update the security group in the target EC2 instances. This option is incorrect because while Network Load Balancers do not have associated security groups, the security group in the target EC2 instances does not control the inbound traffic to the Network Load Balancer. Therefore, updating the security group in the target EC2 instances will not allow the inbound traffic to reach the Network Load Balancer.
B. Use a CloudFormation template to associate the same security group with the Network Load Balancer. This option is a possible solution. CloudFormation can be used to create or update a Network Load Balancer with the same security group that was associated with the Application Load Balancer. This option allows the existing configurations of the load balancer to be kept and applied to the new Network Load Balancer.
C. In the security group, modify the source of the inbound rule to be 0.0.0.0/0 otherwise the ingress traffic will be denied by the Network Load Balancer. This option is incorrect because modifying the inbound rule source to 0.0.0.0/0 will allow traffic from any IP address, which is not a recommended security practice. It is not necessary to modify the inbound rule source to allow traffic to the Network Load Balancer.
D. Attach the security group to the listener of the Network Load Balancer to allow the ingress traffic from the custom TCP port. This option is correct. The security group attached to the listener of the Network Load Balancer controls the inbound traffic to the load balancer. Therefore, attaching the security group to the listener of the Network Load Balancer will allow the ingress traffic from the custom TCP port, while still maintaining the existing configurations of the load balancer.
In summary, option B and D are both valid solutions for configuring the security group in the new Network Load Balancer. However, option B is the more recommended solution as it keeps the existing configurations of the load balancer and applies them to the new Network Load Balancer.