fix inbound traffic by bypassing sg inbound rules on NLB; updated docs

dnks0 · dnks0 · commit 1edf2c053037 · 2026-01-22T13:45:08.000+01:00
diff --git a/README.md b/README.md
@@ -86,4 +86,4 @@ curl -sS -w '\nHTTP %{http_code}\n' http://<ncc-endpoint-rule-domain>:8080/statu
 ```
 
 ### Limitations / Trade-Offs
-Before going to production, please review the following [limitations & trade-offs](terraform/README.md#limitations--tradeoffs-of-the-current-implementation).
+Before going to production, please review the following [limitations & trade-offs](terraform/README.md#limitations--tradeoffs-of-the-current-implementation).
diff --git a/terraform/README.md b/terraform/README.md
@@ -283,3 +283,9 @@ This module is intentionally minimal right now. The following limitations are im
   - Databricks enforces limits around NCCs, private endpoints, and private endpoint rules (including limits on the number of domain names per rule).
   - Treat these as **external constraints** that influence how you model `dbx_proxy_listener`.
   - Reference: [Configure private connectivity to resources in your VPC](https://docs.databricks.com/aws/en/security/network/serverless-network-security/pl-to-internal-network).
+
+- **PrivateLink NLB SG ingress enforcement**
+  - Currently, if bootstrapped, the NLB gets created with a dedicated Security Group attached, which would allow to control ingress to the NLB, enforced with `enforce_security_group_inbound_rules_on_private_link_traffic = on`.
+  - The above setting would also allow to see individual client-IPs as source in network packets (which would be favorable in general)
+  - However, we are not able to lock-down the inbound rules on the NLB Security Group due to missing information like Security Group ID or VPC endpoint ID of the consumer side (Databricks Serverless).
+  - Therefore, we are using `enforce_security_group_inbound_rules_on_private_link_traffic = on`, which bypasses the Security Group inbound rules, and solely rely on the endpoint service `allowed_principals` and manual acceptance to control inbound traffic to the NLB.
diff --git a/terraform/aws/modules/load-balancer/nlb.tf b/terraform/aws/modules/load-balancer/nlb.tf
@@ -11,6 +11,12 @@ resource "aws_lb" "this" {
   enable_cross_zone_load_balancing = true
   enable_deletion_protection = false
 
+  # PrivateLink traffic bypasses NLB SG ingress when this is off. We use off
+  # because the service owner cannot restrict ingress by endpoint SG/CIDR without
+  # consumer-provided details; access is instead controlled via endpoint service
+  # allowed_principals and manual acceptance.
+  enforce_security_group_inbound_rules_on_private_link_traffic = "off"
+
   tags = var.tags
 }
 
@@ -42,6 +48,11 @@ resource "aws_security_group" "this" {
     cidr_blocks = var.subnet_cidrs
   }
 
+  # We can not lock down ingress to individual sources since we don't know the
+  # source IP addresses or Security Group IDs the traffic is originating from.
+  # Therefore, we allow all ingress traffic on the SG level. Ingress is controlled
+  # by the endpoint service allowed_principals and manual acceptance.
+
   tags = merge(
     var.tags,
     {
