Target security groups Network ACLs Shared subnets Register or deregister targets

Register targets with your target group

When your target is ready to handle requests, you register it with one or more target groups. The target type of the target group determines how you register targets. For example, you can register instance IDs, IP addresses, or an Application Load Balancer. Your Network Load Balancer starts routing requests to targets as soon as the registration process completes and the targets pass the initial health checks. It can take a few minutes for the registration process to complete and health checks to start. For more information, see Health checks for your target groups.

If demand on your currently registered targets increases, you can register additional targets in order to handle the demand. If demand on your registered targets decreases, you can deregister targets from your target group. It can take a few minutes for the deregistration process to complete and for the load balancer to stop routing requests to the target. If demand increases subsequently, you can register targets that you deregistered with the target group again. If you need to service a target, you can deregister it and then register it again when servicing is complete.

When you deregister a target, Elastic Load Balancing waits until in-flight requests have completed. This is known as connection draining. The status of a target is draining while connection draining is in progress. After deregistration is complete, status of the target changes to unused. For more information, see Deregistration delay.

If you are registering targets by instance ID, you can use your load balancer with an Auto Scaling group. After you attach a target group to an Auto Scaling group and the group scales out, the instances launched by the Auto Scaling group are automatically registered with the target group. If you detach the load balancer from the Auto Scaling group, the instances are automatically deregistered from the target group. For more information, see Attaching a load balancer to your Auto Scaling group in the Amazon EC2 Auto Scaling User Guide.

Target security groups

Before adding targets to your target group, configure the security groups associated with the targets to accept traffic from your Network Load Balancer.

Recommendations for target security groups if the load balancer has an associated security group

To allow client traffic: Add a rule that references the security group associated with the load balancer.
To allow PrivateLink traffic: If you configured the load balancer to evaluate inbound rules for traffic sent through AWS PrivateLink, add a rule that accepts traffic from the load balancer security group on the traffic port. Otherwise, add a rule that accepts traffic from the load balancer private IP addresses on the traffic port.
To accept load balancer health checks: Add a rule that accepts health check traffic from the load balancer security groups on the health check port.

Recommendations for target security groups if the load balancer is not associated with a security group

To allow client traffic: If your load balancer preserves client IP addresses, add a rule that accepts traffic from the IP addresses of approved clients on the traffic port. Otherwise, add a rule that accepts traffic from the load balancer private IP addresses on the traffic port.
To allow PrivateLink traffic: Add a rule that accepts traffic from the load balancer private IP addresses on the traffic port.
To accept load balancer health checks: Add a rule that accepts health check traffic from the load balancer private IP addresses on the health check port.

How client IP preservation works

Network Load Balancers don't preserve client IP addresses unless you set the preserve_client_ip.enabled attribute to true. Also, with dualstack Network Load Balancers, we preserve client IP addresses when translating IPv4 addresses to IPv6 or IPv6 addresses to IPv4.

To find the load balancer private IP addresses

Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
In the navigation pane, choose Network Interfaces.
In the search field, enter the name of your Network Load Balancer. There is one network interface per load balancer subnet.
On the Details tab for each network interface, copy the address from Private IPv4 address.

For more information, see Security groups for your Network Load Balancer.

Network ACLs

When you register EC2 instances as targets, you must ensure that the network ACLs for the subnets for your instances allow traffic on both the listener port and the health check port. The default network access control list (ACL) for a VPC allows all inbound and outbound traffic. If you create custom network ACLs, verify that they allow the appropriate traffic.

The network ACLs associated with the subnets for your instances must allow the following traffic for an internet-facing load balancer.

Inbound
Source	Protocol	Port Range	Comment
`Client IP addresses`	`listener`	`listener`	Allow client traffic (`instance` target type)
`VPC CIDR`	`listener`	`listener`	Allow client traffic (`ip` target type)
`VPC CIDR`	`health check`	`health check`	Allow health check traffic from the load balancer
Outbound
Destination	Protocol	Port Range	Comment
`Client IP addresses`	`listener`	`listener`	Allow responses to clients (`instance` target type)
`VPC CIDR`	`listener`	`listener`	Allow responses to clients (`ip` target type)
`VPC CIDR`	`health check`	1024-65535	Allow health check traffic

The network ACLs associated with the subnets for your load balancer must allow the following traffic for an internet-facing load balancer.

Inbound
Source	Protocol	Port Range	Comment
`Client IP addresses`	`listener`	`listener`	Allow client traffic (`instance` target type)
`VPC CIDR`	`listener`	`listener`	Allow client traffic (`ip` target type)
`VPC CIDR`	`health check`	1024-65535	Allow health check traffic
Outbound
Destination	Protocol	Port Range	Comment
`Client IP addresses`	`listener`	`listener`	Allow responses to clients (`instance` target type)
`VPC CIDR`	`listener`	`listener`	Allow responses to clients (`ip` target type)
`VPC CIDR`	`health check`	`health check`	Allow health check traffic
`VPC CIDR`	`health check`	1024-65535	Allow health check traffic

For an internal load balancer, the network ACLs for the subnets for your instances and load balancer nodes must allow both inbound and outbound traffic to and from the VPC CIDR, on the listener port and ephemeral ports.

Shared subnets

Participants can create a Network Load Balancer in a shared VPC. Participants can't register a target that runs in a subnet that is not shared with them.

Register or deregister targets

Each target group must have at least one registered target in each Availability Zone that is enabled for the load balancer.

The target type of your target group determines how you register targets with that target group. For more information, see Target type.

Requirements and considerations

You can't register instances by instance ID if they use one of the following instance types: C1, CC1, CC2, CG1, CG2, CR1, G1, G2, HI1, HS1, M1, M2, M3, or T1.
When registering targets by instance ID for a IPv6 target group, the targets must have an assigned primary IPv6 address. To learn more, see IPv6 addresses in the Amazon EC2 User Guide for Linux Instances
When registering targets by instance ID, instances must be in the same Amazon VPC as the Network Load Balancer. You can't register instances by instance ID if they are in an VPC that is peered to the load balancer VPC (same Region or different Region). You can register these instances by IP address.
If you register a target by IP address and the IP address is in the same VPC as the load balancer, the load balancer verifies that it is from a subnet that it can reach.
For UDP and TCP_UDP target groups, do not register instances by IP address if they reside outside of the load balancer VPC or if they use one of the following instance types: C1, CC1, CC2, CG1, CG2, CR1, G1, G2, HI1, HS1, M1, M2, M3, or T1. Targets that reside outside the load balancer VPC or use an unsupported instance type might be able to receive traffic from the load balancer but then be unable to respond.

Register or deregister targets by instance ID

An instance must be in the running state when you register it.

New console

To register or deregister targets by instance ID using the new console

Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
On the navigation pane, under Load Balancing, choose Target Groups.
Choose the name of the target group to open its details page.
Choose the Targets tab.
To register instances, choose Register targets. Select one or more instances, enter the default instance port as needed, and then choose Include as pending below. When you are finished adding instances, choose Register pending targets.

Note:
- The instances must have an assigned primary IPv6 address to be registered with a IPv6 target group.
- AWS GovCloud (US) Regions don't support assigning a primary IPv6 address using the console. You must use the API to assign primary IPv6 addresses in AWS GovCloud (US) Regions.
To deregister instances, select the instance and then choose Deregister.

Old console

To register or deregister targets by instance ID using the old console

Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
In the navigation pane, under LOAD BALANCING, choose Target Groups.
Select the target group.
Choose Targets, Edit.
(Optional) For Registered instances, select any instances to be deregistered and choose Remove.
(Optional) For Instances, select any running instances to be registered, modify the default instance port as needed, and then choose Add to registered.
Choose Save.

Register or deregister targets by IP address

IPv4 targets

An IP address that you register must be from one of the following CIDR blocks:

The subnets of the VPC for the target group
10.0.0.0/8 (RFC 1918)
100.64.0.0/10 (RFC 6598)
172.16.0.0/12 (RFC 1918)
192.168.0.0/16 (RFC 1918)

The IP address type can't be changed after the target group is created.

When launching a Network Load Balancer in a shared Amazon VPC as a participant, you can only register targets in subnets that have been shared with you.

IPv6 targets

The IP addresses that you register must be within the VPC CIDR block or within a peered VPC CIDR block.
The IP address type can't be changed after the target group is created.
You can associate IPv6 target groups only to a dualstack load balancer with TCP or a TLS listeners.

New console

To register or deregister targets by IP address using the new console

Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
On the navigation pane, under Load Balancing, choose Target Groups.
Choose the name of the target group to open its details page.
Choose the Targets tab.
To register IP addresses, choose Register targets. For each IP address, select the network, Availability Zone, IP address (IPv4 or IPv6), and port, and then choose Include as pending below. When you are finished specifying addresses, choose Register pending targets.
To deregister IP addresses, select the IP addresses and then choose Deregister. If you have many registered IP addresses, you might find it helpful to add a filter or change the sort order.

Old console

To register or deregister targets by IP address using the old console

Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
In the navigation pane, under LOAD BALANCING, choose Target Groups.
Select the target group and choose Targets, Edit.
To register IP addresses, choose the Register targets icon (the plus sign) in the menu bar. For each IP address, specify the network, Availability Zone, IP address, and port, and then choose Add to list. When you are finished specifying addresses, choose Register.
To deregister IP addresses, choose the Deregister targets icon (the minus sign) in the menu bar. If you have many registered IP addresses, you might find it helpful to add a filter or change the sort order. Select the IP addresses and choose Deregister.
To leave this screen, choose the Back to target group icon (the back button) in the menu bar.

Register or deregister targets using the AWS CLI

Use the register-targets command to add targets and the deregister-targets command to remove targets.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Target group health

Application Load Balancers as targets