Description
Describe the feature you are requesting
Support for configuring the enforce-security-group-inbound-rules-on-private-link-traffic attribute on Network Load Balancers (NLBs) provisioned by the AWS Load Balancer Controller, ideally via a Kubernetes Service annotation or CRD field.
Motivation
When using API Gateway VPC Link with NLBs (a common pattern for private integrations with EKS), AWS recommends disabling security group evaluation for PrivateLink traffic on the NLB. This is necessary because API Gateway VPC Link traffic may not originate from expected VPC CIDRs or security groups, and AWS does not guarantee the source IPs. Without this setting, users are forced to open NLB security groups to 0.0.0.0/0, which is not secure or compliant with best practices.
Currently, there is no way to configure this attribute via the AWS Load Balancer Controller, requiring manual or automated post-creation changes, which are not ideal for GitOps or IaC workflows.
Describe the proposed solution you'd like
Add support for a Service annotation (e.g., service.beta.kubernetes.io/aws-load-balancer-enforce-sg-on-privatelink-traffic: "off") or a CRD field that allows users to control the enforce-security-group-inbound-rules-on-private-link-traffic attribute for NLBs managed by the controller.
The controller should set this attribute to off on the NLB if the annotation/field is present and set to "off".
Describe alternatives you've considered
Manually or programmatically updating the NLB after creation using the AWS CLI or SDK. This is error-prone and not compatible with declarative infrastructure management.
Opening the NLB security group to 0.0.0.0/0, which is insecure and not recommended.
Using custom automation (e.g., Lambda, scripts) to patch the NLB after creation, which adds operational complexity.
Contribution Intention (Optional)
-[ ] Yes, I am willing to contribute a PR to implement this feature
-[X] No, I cannot work on a PR at this time