Can AWS Internet Facing NLB connect to internal/private ALB?

Question

I am currently working on an application cloud infrastructure stack as follows:

Route 53 -> API Gateway -> VPC Link -> NLB (Internal) with VPC private subnets -> Target Group (ALB IP Addresses) -> ALB (Internal) -> EKS

Above setup seems convoluted so I tried just exposing NLB publicly.

NLB (Internet Facing) with VPC public subnets -> Target Group (ALB IP Addresses) -> ALB (Internal) -> EKS

This generates a NLB DNS record but every time I tried calling it the request simply hangs and times/errors out. My assumption is that since ALB is internal, so without VPC Links, there exist rules that block the public traffic from Internet facing NLB. If above setup is not possible, does it make sense to have a simple set up as below?

NLB (Internet Facing) -> EKS
# or 
ALB (Internet Facing) -> EKS

Answer 1

Timeout errors could be caused by a problem in a Security Group configuration. Make note that NLB always preserves the client's IP when ALB specified as a target type

When you specify targets by Application Load Balancer type, the client IP of all incoming traffic is preserved by the Network Load Balancer and is sent to the Application Load Balancer. The Application Load Balancer then appends the client IP to the X-Forwarded-For request header before sending it to the target.

It means that even though the ALB is in a private subnet it will 'see' the real source IP, not the NLB's one. Make sure the ALB security group explicitly allows inbound traffic from all clients public IPs. If the ALB needs to be publicly accessible that all the traffic on specific ports must be allowed.