Are the healthchecks that the target group performs routed from outside the VPC (aka from internet) or are generated and routed internally. I am asking this because I don't know if I should open the port for healthchecks from security group at internet level (0.0.0.0) or VPC level (10.0.0.0/16)
Thanks
CodePudding user response:
Health checks from the target group are always routed internally, inside the VPC. However, instead of allowing requests from (10.0.0.0/16)
you should actually allow requests from the security group ID that is assigned to the load balancer.
CodePudding user response:
Target groups are part of Load balancer and behind Load balancer you application layer resides either in form of Ec2 or ECS containers or any other application tier component.
Since public/internet user will be interacting with load balancer hence load balancer will SG will be open which mean allows traffic from anywhere.
And to Application tier i.e ec2 or ecs container the traffic is routed from load balancer only which means only traffic from load balancer should be allowed and to do you need to allow traffic from Sg of load balancer.