diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/nlb/network-target-group.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/nlb/network-target-group.ts
index 5fe5fc5a23ba7..054dffc5c622b 100644
--- a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/nlb/network-target-group.ts
+++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/nlb/network-target-group.ts
@@ -103,14 +103,25 @@ export class NetworkTargetGroup extends TargetGroupBase implements INetworkTarge
         ret.push(`Health check interval '${seconds}' not supported. Must be one of the following values '${allowedIntervals.join(',')}'.`);
       }
     }
-    if (healthCheck.path) {
-      ret.push('Health check paths are not supported for Network Load Balancer health checks');
+
+    if (!healthCheck.protocol) {
+      return ret;
     }
-    if (healthCheck.protocol && !NLB_HEALTH_CHECK_PROTOCOLS.includes(healthCheck.protocol)) {
+
+    if (!NLB_HEALTH_CHECK_PROTOCOLS.includes(healthCheck.protocol)) {
       ret.push(`Health check protocol '${healthCheck.protocol}' is not supported. Must be one of [${NLB_HEALTH_CHECK_PROTOCOLS.join(', ')}]`);
     }
-    if (healthCheck.timeout) {
-      ret.push('Custom health check timeouts are not supported for Network Load Balancer health checks');
+    if (healthCheck.path && !NLB_PATH_HEALTH_CHECK_PROTOCOLS.includes(healthCheck.protocol)) {
+      ret.push([
+        `'${healthCheck.protocol}' health checks do not support the path property.`,
+        `Must be one of [${NLB_PATH_HEALTH_CHECK_PROTOCOLS.join(', ')}]`
+      ].join(' '));
+    }
+    if (healthCheck.timeout && healthCheck.timeout.toSeconds() !== NLB_HEALTH_CHECK_TIMEOUTS[healthCheck.protocol]) {
+      ret.push([
+        'Custom health check timeouts are not supported for Network Load Balancer health checks.',
+        `Expected ${NLB_HEALTH_CHECK_TIMEOUTS[healthCheck.protocol]} seconds for ${healthCheck.protocol}, got ${healthCheck.timeout.toSeconds()}`
+      ].join(' '));
     }
 
     return ret;
@@ -152,4 +163,10 @@ export interface INetworkLoadBalancerTarget {
   attachToNetworkTargetGroup(targetGroup: INetworkTargetGroup): LoadBalancerTargetProps;
 }
 
-const NLB_HEALTH_CHECK_PROTOCOLS = [Protocol.HTTP, Protocol.HTTPS, Protocol.TCP];
\ No newline at end of file
+const NLB_HEALTH_CHECK_PROTOCOLS = [Protocol.HTTP, Protocol.HTTPS, Protocol.TCP];
+const NLB_PATH_HEALTH_CHECK_PROTOCOLS = [Protocol.HTTP, Protocol.HTTPS];
+const NLB_HEALTH_CHECK_TIMEOUTS: {[protocol in Protocol]?: number} =  {
+  [Protocol.HTTP]: 6,
+  [Protocol.HTTPS]: 10,
+  [Protocol.TCP]: 10,
+};
diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/nlb/test.listener.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/nlb/test.listener.ts
index 02d2ded66d69b..ef1189ecb3663 100644
--- a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/nlb/test.listener.ts
+++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/nlb/test.listener.ts
@@ -230,6 +230,60 @@ export = {
     test.done();
   },
 
+  'validation error if invalid path health check protocol'(test: Test) {
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'Stack');
+    const lb = new elbv2.NetworkLoadBalancer(stack, 'LB', { vpc });
+    const listener = lb.addListener('PublicListener', { port: 80 });
+    const targetGroup = listener.addTargets('ECS', {
+      port: 80,
+      healthCheck: {
+        interval: cdk.Duration.seconds(60)
+      }
+    });
+
+    targetGroup.configureHealthCheck({
+      interval: cdk.Duration.seconds(30),
+      protocol: elbv2.Protocol.TCP,
+      path: '/'
+    });
+
+    // THEN
+    const validationErrors: string[] = (targetGroup as any).validate();
+    test.deepEqual(validationErrors, [
+      "'TCP' health checks do not support the path property. Must be one of [HTTP, HTTPS]"
+    ]);
+
+    test.done();
+  },
+
+  'validation error if invalid timeout health check'(test: Test) {
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'Stack');
+    const lb = new elbv2.NetworkLoadBalancer(stack, 'LB', { vpc });
+    const listener = lb.addListener('PublicListener', { port: 80 });
+    const targetGroup = listener.addTargets('ECS', {
+      port: 80,
+      healthCheck: {
+        interval: cdk.Duration.seconds(60)
+      }
+    });
+
+    targetGroup.configureHealthCheck({
+      interval: cdk.Duration.seconds(30),
+      protocol: elbv2.Protocol.HTTP,
+      timeout: cdk.Duration.seconds(10),
+    });
+
+    // THEN
+    const validationErrors: string[] = (targetGroup as any).validate();
+    test.deepEqual(validationErrors, [
+      "Custom health check timeouts are not supported for Network Load Balancer health checks. Expected 6 seconds for HTTP, got 10"
+    ]);
+
+    test.done();
+  },
+
   'Protocol & certs TLS listener'(test: Test) {
     const stack = new cdk.Stack();
     const vpc = new ec2.Vpc(stack, 'Stack');