When using AWS Resource Endpoints with Dedicated Cloud Gateways, traffic flows through AWS VPC Lattice before reaching your backend resources.
VPC Lattice terminates the connection from your Dedicated Cloud Gateway and opens a new connection to your backend services.
Because of this, the source IP of this new connection is an AWS-managed Lattice IP, not the original Dedicated Cloud Gateway IP.
To allow this traffic, you must configure the inbound security group rules for whatever resource is acting as your backend target (for example, EC2 instances, Application Load Balancers, Network Load Balancers, or target Elastic Network Interfaces).
- In AWS, navigate to your VPC console.
- From the VPC sidebar, click Managed prefix lists.
- Search for the region where your backend resources (NLB/target group) are deployed (for example:
com.amazonaws.<backend-resource-region>.vpc-lattice).
- Copy the prefix list ID.
- Navigate to the security group for your backend target resource.
- Create a new security group or edit the inbound rules of an existing security group.
- In the Source field, enter the prefix list IDs, for example
pl-123456....
- Repeat steps 1-7 for all regions where your backend resources are deployed.