and then we can setup https://aws.amazon.com/vpn/client-vpn/ ? to allow dev access to the service if they need it
does that make sense, sorry my networking skills are not great 
yes that is a good option. But check the pricing. Depending on how many devs you have other solutions may make more sense
Okay will do, and do you mind mentioning a few other solutions? ( so i can look into )
btw you seem to understand immiedatly that the ec2 instance was connecting from the public ip and therefore the sg was not filtering anything. Do you ahve any resource you can point me to help me better undersand that. I guess im still a little confused why setting the cidr block in the inbound rule does not work.
hm, well that is probably the years of working with AWS speaking
Ah i think i udnerstand now. The connection was coming from public ip address that was not in the AWS SG inbound rule
yeah I am googling rn to try to find a good architecture diagram that shows this. But almost noone uses public facing NLBs in this way
If the connection was coming from an internal ip address (10.x.x.x.x) etc then it would allow it
ye i think it just clicked
right. but the NLB does not have any internal IPs that the EC2 can connect to
it only has endpoints for connecting to targets. No Listeners
ye i need to read up on NLB i guess, i just don’t understand fundamentally how they work
Well atleast i have a path forward with client vpc + internal nlb and ill go from there
also if you could mention a few other cost effective solutions that would be helpful
But ye thanks for your help! it was super helpful
yeah it is hard to grasp if you do not have a networking background and are only used to Layer 7 loadbalancing like ALB.
