Internet-Facing NLB working Locally but getting Timeout from an EC2 Instance in the same VPC

Hi i have an internet-facing NLB with a security group attach to it. One of the rules is an inbound connection to allow the vpc cidr block and another rule to allow my lcoal machine.

I can connect via my local machine but if i ssh into an ec2 instance on the vpc and attempt to connect, the same curl command that works locally timesout within the VPC.

Why is this occurring?

my first suspicion would be that the ec2 and the target are in different AZs and you have cross zone loadbalancing disabled on the NLB

They are within the same region (us-east-2), im not sure cross zone loadbalcing is

I also want to mention that if i change the inbound ip to i can connect from within the ec2.

You are correct cross zone is disabld by default, im not sure i quite understand it though

I will try to enable it and report back

I enabled cross zone and attempted to connect from the ec2 within the vpc and still not able to, whilst i am sitll able to connect locally

nvm. If it works with what is probably happening is that the DNS entry you are using for the connection is the public DNS. That means your ec2 resolves it to the Internet IP.
So it tries to connect as though this NLB is any other public endpoint.
The traffic that reaches the NLB therefore comes from the EC2s public IP (or the NAT Gateways)

I am using the NLB dns name to attempt to connect to it

what does it resolve to on the ec2?

hmm wait im not sure what yorue saying

if i do a dig locally and in the ec2 they are both the same output

<|>. 30 IN A 18.x.70.46
k8s-mongodb-psmdbdbr-460b3e49b0-<redacted>.<|>. 30 IN A x.9.86.x```

right. so from the EC2s point of view it is connection to something on the internet. It will use a public IP for that.

Okay is that an issue?

Sorry im not understandng why i cna’t connect to the nlb from within my vpc, despite allowing it (setting inboudn rule ).

well it means that the security group can not filter for the private address. The connection is coming from the EC2s public IP

Why is the sg able to filter my local machine ? if i delete my ip address from the inbound rule i will no longer be abel to connect

it is also connecting from a public IP

My goal was to create a public-facing NLB to allow access only from within the VPC and whitelisted ip addressese