Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional Is this NLB question answer wrong? Reply To: Is this NLB question answer wrong?

  • Carlo-TutorialsDojo

    January 21, 2021 at 2:39 pm

    Hello Jun,

    Thanks for posting your question.

    So there are two “parties” involved in this scenario: client accounts and the logging service. These two parties are connected via the AWS PrivateLink. The logging service as described is a group of EC2 instances spread on different subnets behind an NLB.

    Here is the simplified architecture for this problem:

    Clients -> VPC endpoint -> NLB -> Logging Service (EC2)

    What we want is to allow traffic between NLB and EC2 but how do we do that?

    NLB is a bit tricky because it does not have a security group. Unlike ALB, we can’t reference the load balancer’s security group ID as a source in our EC2’s security group to facilitate a connection between them.

    A workaround for that is to get the NLB’s IP address and use it instead.

    Now, this option “Ensure that the security group attached to the EC2 instances hosting the logging service allows inbound traffic from the IP address block of the clients” is incorrect because it is telling us to use the IP address block of the clients instead of the NLB IP address (bypassing the NLB and VPC endpoint) and it looks something like this:

    Clients -> Logging Service (EC2)

    As you may already understand, this won’t work at all.

    I hope this helps. Let me know if you need further assistance.