Traffic Flow
- Clients connect to the Load Balancer via HTTP (80) or HTTPS (443) from anywhere.
- The Load Balancer forwards the traffic to the EC2 instances in private subnets.
- EC2 instances are configured to accept requests only from the Load Balancer’s Security Group, not from the public internet.
Security Group Setup
Load Balancer Security Group
Type | Protocol | Port Range | Source | Description |
HTTP | TCP | 80 | 0.0.0.0/0 | Allow HTTP from anywhere |
HTTPS | TCP | 443 | 0.0.0.0/0 | Allow HTTPS from anywhere |
Application Security Group (EC2 Instances)
Type | Protocol | Port Range | Source (SG ID) | Description |
HTTP | TCP | 80 | sg-xxxxxxx (LB Security Group) | Allow HTTP traffic only from Load Balancer |
Key Points
- The Load Balancer is internet-facing (or internal if private), but EC2 instances are never exposed directly.
- By restricting EC2 inbound rules to the LB Security Group, we prevent direct public access.
- Health checks from the Load Balancer are also covered by these rules.