Your team is working on a migration project in AWS platform.
An Application Load Balancer is configured to route traffic to backend EC2 instances.
A security group is attached in the load balancer which allows the ingress traffic from a custom TCP port.
Recently, due to some project requirements, the Application Load Balancer needs to be replaced by a Network Load Balancer.
Existing configurations of the load balancer should be kept if possible.
How would you configure the security group in the new Network Load Balancer?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - A.
Network Load Balancers do not use security groups.
This is different from Classic Load Balancer or Application Load Balancer.
Refer to the document in https://aws.amazon.com/premiumsupport/knowledge-center/security-group-load-balancer/.
Option A is CORRECT: You can add rules to the security group of the target instances.
It should allow the traffic from clients.
Option B is incorrect: Refer to the above link.
Network Load Balancers do not configure security groups.
Option C is incorrect: Because users cannot apply the security group to the Network Load Balancer.
Option D is incorrect: You cannot attach the security group to the NLB listener.
Instead, you should add the security group rules in the EC2 instances.
The correct answer for this scenario is D. Attach the security group to the listener of the Network Load Balancer to allow the ingress traffic from the custom TCP port.
Explanation:
When you replace the Application Load Balancer with a Network Load Balancer, you need to ensure that the security group attached to the load balancer allows the ingress traffic from the custom TCP port to the backend EC2 instances. Unlike an Application Load Balancer, a Network Load Balancer does not have an associated security group. Therefore, you need to attach the security group to the listener of the Network Load Balancer.
Here are the explanations of why other options are incorrect:
Option A: As Network Load Balancers do not have associated security groups, update the security group in the target EC2 instances.
This option is incorrect because updating the security group in the target EC2 instances will not allow ingress traffic to the instances through the Network Load Balancer. The security group of the EC2 instances controls the inbound and outbound traffic to and from the instances, but it does not control the traffic flow through the Network Load Balancer.
Option B: Use a CloudFormation template to associate the same security group with the Network Load Balancer.
This option is incorrect because, as mentioned earlier, a Network Load Balancer does not have an associated security group. Therefore, you cannot use a CloudFormation template to associate the same security group with the Network Load Balancer.
Option C: In the security group, modify the source of the inbound rule to be 0.0.0.0/0, otherwise, the ingress traffic will be denied by the Network Load Balancer.
This option is incorrect because modifying the source of the inbound rule to 0.0.0.0/0 will allow traffic from any source to the backend EC2 instances, which is not a recommended security practice. Additionally, this option does not address the requirement of allowing ingress traffic from the custom TCP port through the Network Load Balancer.
In summary, to allow ingress traffic from a custom TCP port to the backend EC2 instances through the Network Load Balancer, you need to attach the security group to the listener of the Network Load Balancer.