I have a network load balancer which should forward some TCP requests to an application load balancer (specifically ELB). For this I created a target group with target type == application load balancer, and set up a listener + security group on the ELB to accept these forwarded requests.
For some reason I haven't figured out yet, health checks of said target group are constantly failing, even if I set up the ELB rules to just return fixed 200 response to any incoming requests :/
As far as I can tell, listeners, health checks , security groups, all incl. ports should be lined up to work with one another. All "usual" target groups behind the ELB are healthy and working as intended.
The target group doesn't provide any details why health checks fail (generic 'unhealthy' status and 'Health checks failed' message).
The only (possible) clue I found so far was in the ELB's access logs, which contain some requests from a seemingly random IP with no http method, no content (length 0) and they are immediately rejected by the ELB with http 400 without sending the request to any target. Not sure if these are the health checks, but even setting up a fixed response rule for them didn't solve anything.
I tried both answers presented in a similar question (made sure the health checks are performed over https on port 443 and that the security groups allow any possible flow of traffic between the NLB and ALB), but to no avail.
Turns out I'm both blind and dumb, as I was missing an outgoing rule in NLB security group to allow traffic to go from NLB to the ALB.
The second thing I missed was a bad choice of security policy for the listener that was forwarding traffic to the target group in question – at the moment of writing it seems like TLS 1.3-only fails on an NLB origin. (credit for this part goes to u/bluesoul on Reddit)