Skip to main content

Does the ELB also route outbound reply traffic in AWS [Resolved]

I have been trying to understand how routing works in an AWS VPC with public/private subnets.

I have a setup as recommended by amazon with an ELB and NAT in the public subnet and the webserver in the private subnet. I have security groups (SG) configured as per and it all works as expected. Great!

Reference architecture with Amazon VPC configuration

What I do not yet understand is how HTTP replies are returned from the webserver instance in the above architecture.

So a web request comes in from the public internet over HTTP,80 hits ELB and ELB takes it to the private IP of the webserver, cool. Now the webserver has to reply. From what I understand the reply will be over a different higher TCP port (1024-65535). The NAT SG only allows outbound traffic over ports 80 & 443. So how does this reply get out back to the public Internet. It cannot go through the NAT. Does this mean the reply goes back out through the ELB. The Amazon diagram does not indicate the ELB traffic direction arrow as bidirectional, nor does the ELB documentation state that the ELB behaves like a stateful NAT. Does it?

Question Credit: Ali
Question Reference
Asked April 16, 2019
Posted Under: Network
2 Answers

According to AWS documentation for NLB, it is layer 4 not layer 3. Also the backend or target servers are not required to be on a public subnet. As a matter of fact the IP address ranges of the target groups must be one of the following: The following are the possible target types:

instance The targets are specified by instance ID.

ip The targets are specified by IP address.

When the target type is ip, you can specify IP addresses from one of the following CIDR blocks:

The subnets of the VPC for the target group (RFC 1918) (RFC 6598) (RFC 1918) (RFC 1918)


You can't specify publicly routable IP addresses.

I hope this helps.

credit: RBP
Answered April 16, 2019
Your Answer