Using CloudFormation to configure security groups for NLB

Using CloudFormation to set up Security Groups in NLB. SAA_EN

On 2023/08/10, it was announced that NLB will support security groups.

Network Load Balancer now supports security groups

This time, we will use CloudFormation to create a configuration with security groups applied to NLB.



Diagram of using CloudFormation to set up Security Groups in NLB.

Basically, the structure is the same as the following pages.

The change from the configuration on the above page is the use of NLB instead of ALB.

Apply a security group to this NLB.

CloudFormation template files

The above configuration is built with CloudFormation.
The CloudFormation templates are placed at the following URL

Explanation of key points of template files

This page focuses on how to apply security groups to NLB.

For information on how to build an Auto Scaling group on a private subnet and associate it with ELB, etc., please refer to the following page.

security group

    Type: AWS::EC2::SecurityGroup
      GroupName: !Sub "${Prefix}-NLBSecurityGroup"
      GroupDescription: Allow HTTP Only.
      VpcId: !Ref VPC
        - IpProtocol: tcp
          FromPort: !Ref HTTPPort
          ToPort: !Ref HTTPPort
    Type: AWS::EC2::SecurityGroup
      GroupName: !Sub "${Prefix}-InstanceSecurityGroup"
      GroupDescription: Allow HTTP from NLBSecurityGroup.
      VpcId: !Ref VPC
        - IpProtocol: tcp
          FromPort: !Ref HTTPPort
          ToPort: !Ref HTTPPort
          SourceSecurityGroupId: !Ref NLBSecurityGroup
Code language: YAML (yaml)

Create two security groups.

The first is for NLB.
Allow HTTP communication (80/TCP) from all IP addresses.

The second is for EC2 instances.
Specifying a security group for NLB as the source allows inbound traffic through this resource.


    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
      Name: !Sub "${Prefix}-ALB"
      Scheme: internet-facing
        - !Ref NLBSecurityGroup
        - !Ref PublicSubnet1
        - !Ref PublicSubnet2
      Type: network
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
      VpcId: !Ref VPC
      Name: !Sub "${Prefix}-NLBTargetGroup"
      Protocol: TCP
      Port: !Ref HTTPPort
      HealthCheckProtocol: TCP
      HealthyThresholdCount: !Ref HealthyThresholdCount
      HealthCheckIntervalSeconds: !Ref HealthCheckIntervalSeconds
      UnhealthyThresholdCount: !Ref UnhealthyThresholdCount
    Type: AWS::ElasticLoadBalancingV2::Listener
        - TargetGroupArn: !Ref NLBTargetGroup
          Type: forward
      LoadBalancerArn: !Ref NLB
      Port: !Ref HTTPPort
      Protocol: TCP
Code language: YAML (yaml)

To build an NLB, three resources (NLB body, target group, and resources) are created.

This time, a particularly key setting is the SecurityGroups property of the NLB itself.
Specify the security groups for NLB as explained earlier.

(Reference) Launch Template

    Type: AWS::EC2::LaunchTemplate
          Arn: !GetAtt InstanceProfile.Arn
        ImageId: !Ref ImageId
        InstanceType: !Ref InstanceType
          - !Ref InstanceSecurityGroup
        UserData: !Base64 |
          #!/bin/bash -xe
          yum update -y
          yum install -y httpd
          systemctl start httpd
          systemctl enable httpd
          ec2-metadata -i > /var/www/html/index.html
      LaunchTemplateName: !Sub "${Prefix}-LaunchTemplate"
Code language: YAML (yaml)

Launch template for Auto Scaling group.
In the SecurityGroupIds property, specify the aforementioned security group for EC2.

Define the initialization process for the instance using user data.
This time, after installing and starting Apache, place the HTML (index.html) with the instance ID written in the root directory.

For more information on user data, please see the following page.

The NLB’s support for security groups has one major benefit.
That is, traffic control for instances under NLB is now easier.

Prior to NLB’s support of security groups, a laborious process was required to achieve the same behavior as in this case.
That is, disabling client IP storage in NLB and then specifying a private address assigned to NLB.

For more information on this page, please see the following page.


Use CloudFormation to build this environment and check its actual behavior.

Create CloudFormation stacks and check the resources in the stacks

Create CloudFormation stacks.
For information on how to create stacks and check each stack, please see the following page.

After reviewing the resources in each stack, information on the main resources created in this case is as follows

  • NLB: saa-01-006-ALB
  • DNS name of NLB:
  • NLB target group: saa-01-006-AutoScalingGroup
  • Security group for NLB: sg-03d85dadbf8cc1ad7
  • Security group for EC2 instance: sg-0a0aca4eda6a6291

Check each resource created from the AWS Management Console.

Check the security groups.

Detail of VPC 1.
Detail of VPC 2.

The former is for NLB.
This content allows HTTP communication (80/tcp) from all addresses.

The latter is for EC2 instances.
This content allows HTTP communication (80/tcp) from the security group for NLB.

Check the NLB.

Detail of NLB 1.

The NLB has been successfully created.
You have indeed attached a security group to the NLB.

Check the Auto Scaling group.

Detail of NLB 2.

You can see that two instances are placed in the group.

Operation Check

Now that you are ready, access the NLB.

$ curl
instance-id: i-0ee1c4b8d8eac321e

$ curl
instance-id: i-04a6075a54e5cb5f5
Code language: Bash (bash)

We were able to access the two EC2 instances through NLB.
This means that the security groups for NLB and for EC2 instances worked correctly.


A configuration was created with security groups applied to NLB.