Network Load Balancer to TCP Server in Private Subnet

Question

I'm trying to do (what I think is) a simple thing for a custom tcp server (a type of sftp):

Allow traffic to come in on port 2222 via an aws network load balancer and then be routed to instances in a private subnet.

I've done the same with an application load balancer and it works great.

But I can't get the network version working.

I'm wondering if this is even possible? I do get a warning when I create the network load balancer saying that there are no instances in my public subnet (which is true... all the instances are in the private subnet). But I weirdly don't get this error when creating an application load balancer with the same subnets.

Am I missing something here?

(I can ping my server no problem using a bastion host, so I know it's running. I've also opened port 2222 in all related security groups.)

Can network load balancers direct traffic to instances in a private subnet?

Answer 1

NLB appears to modify the behavior of the network infrastructure, rather than being "hidden EC2 instance"-based like ALB or classic ELB, so a different network configuration is required.

The instances need to be on a public subnet with their default route pointing to the Internet Gateway in order to work with an outside-facing NLB, because unlike the other load balancer offerings, they don't return their response traffic to "the balancer's internal IP" since the balancer has no instance-facing IP address of its own, and the instances see the traffic as coming directly from the client IP.