Cannot connect to internet-facing NLB forwarding traffic to a private instance

Question

I have configured a cloud with following configuration

1. VPC with a public and private subnet in two availability zones. Public subnet has an internet gateway and private subnet has a NAT gateway configured
2. An internet-facing Network Load Balancer allowing TCP traffic configured in both availability zones
3. A target group to forward traffic from the load balancer
4. An EC2 instance in private subnet configured with haproxy listening at port 80. It's security group is configured to accept TCP traffic at port 80 from both the subnets in which NLB is configured
5. Added this instance to the target group, the status is healthy

When I try to hit the NLB DNS it is giving me 'Connection timed-out' error. I am expecting that when I hit NLB DNS it should forward me to the private instance. I have checked many AWS documents such as this link but still cannot find the resolution to this issue. Please feel free to ask for more information if this is not sufficient.

Answer 1

It's security group is configured to accept TCP traffic at port 80 from both the subnets in which NLB is configured

When targets are registered by instance-id, the security group for instances behind an Internet-facing NLB need to allow traffic from 0.0.0.0/0 -- or whatever range of public IP addresses need to access them through the balancer -- not just the subnets of the balancer (which are needed for health-checks).

If your target type is an instance, add a rule to your security group to allow traffic from your load balancer and clients to the target IP.

https://aws.amazon.com/premiumsupport/knowledge-center/security-group-load-balancer/

Unlike ALB and Classic balancers, NLB traffic has the source address of the external client when the targets are configured by instance-id, and this is the address the security group is matching against.