AWS Security ChangesHomeSearch

AWS elasticloadbalancing documentation change

Service: elasticloadbalancing · 2025-05-10 · Documentation low

File: elasticloadbalancing/latest/network/load-balancer-troubleshooting.md

Summary

Clarified security group requirements for load balancer and instances, added EKS pod-specific connection timeout note, and updated client IP preservation guidance to recommend Proxy Protocol v2.

Security assessment

The changes emphasize proper security group configurations (both instance and load balancer SGs) to ensure traffic flow, which prevents misconfigurations that could lead to service disruptions. The Proxy Protocol v2 recommendation improves secure client IP handling but does not address a specific vulnerability. The EKS pod note is a troubleshooting clarification without direct security implications.

Diff

diff --git a/elasticloadbalancing/latest/network/load-balancer-troubleshooting.md b/elasticloadbalancing/latest/network/load-balancer-troubleshooting.md
index 95ee66ca9..44a4b0d46 100644
--- a//elasticloadbalancing/latest/network/load-balancer-troubleshooting.md
+++ b//elasticloadbalancing/latest/network/load-balancer-troubleshooting.md
@@ -20 +20 @@ Verify that your instance is failing health checks and then check for the follow
-The security groups associated with an instance must allow traffic from the load balancer using the health check port and health check protocol. For more information, see [Target security groups](./target-group-register-targets.html#target-security-groups).
+The security groups associated with an instance must allow traffic from the load balancer using the health check port and health check protocol. For more information, see [Target security groups](./target-group-register-targets.html#target-security-groups). Also, the security group for your load balancer must allow traffic to the instances. For more information, see [Update the security groups for your Network Load Balancer](./load-balancer-security-groups.html).
@@ -34 +34 @@ Check for the following:
-The security groups associated with the instances must allow traffic on the listener port from client IP addresses (if targets are specified by instance ID) or load balancer nodes (if targets are specified by IP address). For more information, see [Target security groups](./target-group-register-targets.html#target-security-groups).
+The security groups associated with the instances must allow traffic on the listener port from client IP addresses (if targets are specified by instance ID) or load balancer nodes (if targets are specified by IP address). For more information, see [Target security groups](./target-group-register-targets.html#target-security-groups). Also, the security group for your load balancer must allow traffic to the instances. For more information, see [Update the security groups for your Network Load Balancer](./load-balancer-security-groups.html).
@@ -85 +85,3 @@ If you see a spike in the `TCP_ELB_Reset_Count` metric just before or just as th
-Check whether client IP preservation is enabled on your target group. NAT loopback, also known as hairpinning, is not supported when client IP preservation is enabled. If an instance is a client of a load balancer that it's registered with, and it has client IP preservation enabled, the connection succeeds only if the request is routed to a different instance. If the request is routed to the same instance it was sent from, the connection times out because the source and destination IP addresses are the same.
+Check whether client IP preservation is enabled on your target group. NAT loopback, also known as hairpinning, is not supported when client IP preservation is enabled.
+
+If an instance is a client of a load balancer that it's registered with and it has client IP preservation enabled, the connection succeeds only if the request is routed to a different instance. If the request is routed to the same instance it was sent from, the connection times out because the source and destination IP addresses are the same. Note that this applies to Amazon EKS pods running in the same EC2 worker node instance, even though they have different IP addresses.
@@ -89 +91 @@ If an instance must send requests to a load balancer that it's registered with,
-  * Disable client IP preservation.
+  * Disable client IP preservation. Instead, use Proxy Protocol v2 to get the client IP address.
@@ -91 +93 @@ If an instance must send requests to a load balancer that it's registered with,
-  * Ensure that containers that must communicate, are on different container instances.
+  * Ensure that containers that must communicate are on different container instances.