MENU
Architecting AWS with CloudFormation
  1. Home
  2. SAA_EN
  3. Using CloudFormation to configure security groups for NLB

Using CloudFormation to configure security groups for NLB

TOC

Using CloudFormation to configure security groups for NLB

On 2023/08/10, it was announced that NLB will support security groups.

https://aws.amazon.com/about-aws/whats-new/2023/08/network-load-balancer-supports-security-groups/?nc1=h_ls

This time, we will use CloudFormation to create a configuration with security groups applied to NLB.

Environment

Diagram of using CloudFormation to set up Security Groups in NLB.

Basically, the structure is the same as the following pages.

あわせて読みたい
Introduction to EC2 Auto Scaling – No Scaling Policy 【Introduction to EC2 Auto Scaling - No Scaling Policy】 EC2 Auto Scaling allows you to launch any number of EC2 instances to increase the availability of yo...

The change from the configuration on the above page is the use of NLB instead of ALB.

Apply a security group to this NLB.

CloudFormation template files

The above configuration is built with CloudFormation.
The CloudFormation templates are placed at the following URL

https://github.com/awstut-an-r/awstut-saa/tree/main/01/006

Explanation of key points of template files

This page focuses on how to apply security groups to NLB.

For information on how to build an Auto Scaling group on a private subnet and associate it with ELB, etc., please refer to the following page.

あわせて読みたい
Introduction to EC2 Auto Scaling – No Scaling Policy 【Introduction to EC2 Auto Scaling - No Scaling Policy】 EC2 Auto Scaling allows you to launch any number of EC2 instances to increase the availability of yo...

security group

Resources:
  NLBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: !Sub "${Prefix}-NLBSecurityGroup"
      GroupDescription: Allow HTTP Only.
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: !Ref HTTPPort
          ToPort: !Ref HTTPPort
          CidrIp: 0.0.0.0/0

  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: !Sub "${Prefix}-InstanceSecurityGroup"
      GroupDescription: Allow HTTP from NLBSecurityGroup.
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: !Ref HTTPPort
          ToPort: !Ref HTTPPort
          SourceSecurityGroupId: !Ref NLBSecurityGroup
Code language: YAML (yaml)

Create two security groups.

The first is for NLB.
Allow HTTP communication (80/TCP) from all IP addresses.

The second is for EC2 instances.
Specifying a security group for NLB as the source allows inbound traffic through this resource.

NLB

Resources:
  NLB:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: !Sub "${Prefix}-ALB"
      Scheme: internet-facing
      SecurityGroups:
        - !Ref NLBSecurityGroup
      Subnets:
        - !Ref PublicSubnet1
        - !Ref PublicSubnet2
      Type: network

  NLBTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      VpcId: !Ref VPC
      Name: !Sub "${Prefix}-NLBTargetGroup"
      Protocol: TCP
      Port: !Ref HTTPPort
      HealthCheckProtocol: TCP
      HealthyThresholdCount: !Ref HealthyThresholdCount
      HealthCheckIntervalSeconds: !Ref HealthCheckIntervalSeconds
      UnhealthyThresholdCount: !Ref UnhealthyThresholdCount

  NLBListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      DefaultActions:
        - TargetGroupArn: !Ref NLBTargetGroup
          Type: forward
      LoadBalancerArn: !Ref NLB
      Port: !Ref HTTPPort
      Protocol: TCP
Code language: YAML (yaml)

To build an NLB, three resources (NLB body, target group, and resources) are created.

This time, a particularly key setting is the SecurityGroups property of the NLB itself.
Specify the security groups for NLB as explained earlier.

(Reference) Launch Template

Resources:
  LaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      LaunchTemplateData:
        IamInstanceProfile:
          Arn: !GetAtt InstanceProfile.Arn
        ImageId: !Ref ImageId
        InstanceType: !Ref InstanceType
        SecurityGroupIds:
          - !Ref InstanceSecurityGroup
        UserData: !Base64 |
          #!/bin/bash -xe
          yum update -y
          yum install -y httpd
          systemctl start httpd
          systemctl enable httpd
          ec2-metadata -i > /var/www/html/index.html
      LaunchTemplateName: !Sub "${Prefix}-LaunchTemplate"
Code language: YAML (yaml)

Launch template for Auto Scaling group.
In the SecurityGroupIds property, specify the aforementioned security group for EC2.

Define the initialization process for the instance using user data.
This time, after installing and starting Apache, place the HTML (index.html) with the instance ID written in the root directory.

For more information on user data, please see the following page.

あわせて読みたい
Four ways to initialize Linux instance 【Four ways to initialize a Linux instance】 Consider how to perform the initialization process when an EC2 instance is started. We will cover the following ...

The NLB’s support for security groups has one major benefit.
That is, traffic control for instances under NLB is now easier.

Prior to NLB’s support of security groups, a laborious process was required to achieve the same behavior as in this case.
That is, disabling client IP storage in NLB and then specifying a private address assigned to NLB.

For more information on this page, please see the following page.

あわせて読みたい
Use CFN custom resource to obtain NLB private address and set it as the source of the security group 【Use CFN custom resource to obtain NLB private address and set it as the source of the security group】 Unlike ALB, security groups cannot be attached to NL...

Architecting

Use CloudFormation to build this environment and check its actual behavior.

Create CloudFormation stacks and check the resources in the stacks

Create CloudFormation stacks.
For information on how to create stacks and check each stack, please see the following page.

あわせて読みたい
CloudFormation’s nested stack 【How to build an environment with a nested CloudFormation stack】 Examine nested stacks in CloudFormation. CloudFormation allows you to nest stacks. Nested ...

After reviewing the resources in each stack, information on the main resources created in this case is as follows

  • NLB: saa-01-006-ALB
  • DNS name of NLB: saa-01-006-alb-e1094ac0c1da946d.elb.ap-northeast-1.amazonaws.com
  • NLB target group: saa-01-006-AutoScalingGroup
  • Security group for NLB: sg-03d85dadbf8cc1ad7
  • Security group for EC2 instance: sg-0a0aca4eda6a6291

Check each resource created from the AWS Management Console.

Check the security groups.

Detail of VPC 1.
Detail of VPC 2.

The former is for NLB.
This content allows HTTP communication (80/tcp) from all addresses.

The latter is for EC2 instances.
This content allows HTTP communication (80/tcp) from the security group for NLB.

Check the NLB.

Detail of NLB 1.

The NLB has been successfully created.
You have indeed attached a security group to the NLB.

Check the Auto Scaling group.

Detail of NLB 2.

You can see that two instances are placed in the group.

Operation Check

Now that you are ready, access the NLB.

$ curl http://saa-01-006-ALB-e1094ac0c1da946d.elb.ap-northeast-1.amazonaws.com
instance-id: i-0ee1c4b8d8eac321e

$ curl http://saa-01-006-ALB-e1094ac0c1da946d.elb.ap-northeast-1.amazonaws.com
instance-id: i-04a6075a54e5cb5f5
Code language: Bash (bash)

We were able to access the two EC2 instances through NLB.
This means that the security groups for NLB and for EC2 instances worked correctly.

Summary

A configuration was created with security groups applied to NLB.

SAA_EN
Auto Scaling_EN EC2(Linux)_EN NLB_EN S3_EN
TOC