Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
109 lines (63 sloc) 7.55 KB

Register Targets with Your Target Group

You register your targets with one or more target groups. Each target group must have at least one registered target in each Availability Zone that is enabled for the load balancer. You can register targets by instance ID or by IP address. For more information, see Target Groups for Your Network Load Balancers.

If demand on your currently registered targets increases, you can register additional targets in order to handle the demand. When your target is ready to handle requests, register it with your target group. The load balancer starts routing requests to the target as soon as the registration process completes and the target passes the initial health checks.

If demand on your registered targets decreases, or you need to service a target, you can deregister it from your target group. The load balancer stops routing requests to a target as soon as you deregister it. When the target is ready to receive requests, you can register it with the target group again.

When you deregister a target, Elastic Load Balancing waits until in-flight requests have completed. This is known as connection draining. The status of a target is draining while connection draining is in progress.

If you are registering targets by instance ID, you can use your load balancer with an Auto Scaling group. After you attach a target group to an Auto Scaling group and the group scales out, the instances launched by the Auto Scaling group are automatically registered with the target group. If you detach the load balancer from the Auto Scaling group, the instances are automatically deregistered from the target group. For more information, see Attaching a Load Balancer to Your Auto Scaling Group in the Amazon EC2 Auto Scaling User Guide.

Target Security Groups

When you register EC2 instances as targets, you must ensure that the security groups for these instances allow traffic on both the listener port and the health check port.


  • Network Load Balancers do not have associated security groups. Therefore, the security groups for your targets must use IP addresses to allow traffic from the load balancer.
  • You cannot allow traffic from clients to targets through the load balancer using the security groups for the clients in the security groups for the targets. Use the client CIDR blocks in the target security groups instead.

Recommended Rules

Client IP addresses

If you do not want to grant access to the entire VPC CIDR, you can grant access to the private IP addresses used by the load balancer nodes. There is one IP address per load balancer subnet. To find these addresses, use the following procedure.

To find the private IP addresses to whitelist

  1. Open the Amazon EC2 console at

  2. In the navigation pane, choose Network Interfaces.

  3. In the search field, type the name of your Network Load Balancer. There is one network interface per load balancer subnet.

  4. On the Details tab for each network interface, copy the address from Primary private IPv4 IP.

Targets and Internet-facing Load Balancers

With an Internet-facing load balancer, targets that are registered by instance ID must have a route to the Internet to provide connectivity. The targets in a public subnet have a route to the Internet through the Internet gateway. If a target in a private subnet is registered by instance ID, ensure that the route table for the subnet has a route to the Internet (for example, through a NAT gateway or an EC2 instance).

Network ACLs

The default network access control list (ACL) for a VPC allows all inbound and outbound traffic. If you create custom network ACLs, they must allow the load balancer and instances to communicate in both directions on the listener port, health check port, and ephemeral ports (1024-65535).

Register or Deregister Targets

The target type of your target group determines how you register targets with that target group. For more information, see Target Type.


  • You cannot register instances by instance ID if they have the following instance types: C1, CC1, CC2, CG1, CG2, CR1, G1, G2, HI1, HS1, M1, M2, M3, and T1. You can register instances of these types by IP address.
  • You cannot register instances in a peered VPC by instance ID, you must register them by IP address.


Register or Deregister Targets by Instance ID

The instance must be in the running state when you register it.

To register or deregister targets by instance ID

  1. Open the Amazon EC2 console at

  2. In the navigation pane, under LOAD BALANCING, choose Target Groups.

  3. Select the target group.

  4. Choose Targets, Edit.

  5. (Optional) For Registered instances, select any instances to be deregistered and choose Remove.

  6. (Optional) For Instances, select any running instances to be registered, modify the default instance port as needed, and then choose Add to registered.

  7. Choose Save.

Register or Deregister Targets by IP Address

The IP addresses that you register must be from one of the following CIDR blocks:

  • The subnets of the VPC for the target group
  • (RFC 1918)
  • (RFC 6598)
  • (RFC 1918)
  • (RFC 1918)

To register or deregister targets by IP address

  1. Open the Amazon EC2 console at

  2. In the navigation pane, under LOAD BALANCING, choose Target Groups.

  3. Select the target group and choose Targets, Edit.

  4. To register IP addresses, choose the Register targets icon (the plus sign) in the menu bar. For each IP address, specify the network, Availability Zone, IP address, and port, and then choose Add to list. When you are finished specifying addresses, choose Register.

  5. To deregister IP addresses, choose the Deregister targets icon (the minus sign) in the menu bar. If you have many registered IP addresses, you might find it helpful to add a filter or change the sort order. Select the IP addresses and choose Deregister.

  6. To leave this screen, choose the Back to target group icon (the back button) in the menu bar.

Register or Deregister Targets Using the AWS CLI

Use the register-targets command to add targets and the deregister-targets command to remove targets.

You can’t perform that action at this time.