i have NLB which has target group to which 3 instance in different AZ are registered.
as i went through documentation NLB doesn't have security group. so i added 3 inbound rules to ec2 instance security group which allow private IP of NLB's network interface from all the three AZ to send tcp traffic to ec2 instance.
Note:- health checks to all 3 ec2 instances are healthy.
when i tried the same thing by allowing traffic my private IP there wasn't time-out issue.
Based on the comments.
Since NLB does not have security groups (SGs), the target instances need to allow either private IP addresses of NLB nodes or IP addresses of clients. This depends whether client IP preservation is enabled or not.
By default:
Subsequently, SGs of the instances should allow all client IP addresses. Alternatively, you can disable client IP preservation, in which case, the SGs can use private IP addresses of NLB nodes.