All Products
Search

This Product

    Container Service for Kubernetes:Use AlbConfigs to configure security groups

    Document Center

    Container Service for Kubernetes:Use AlbConfigs to configure security groups

    Last Updated:Mar 31, 2025

    This topic describes how to use AlbConfigs to configure security groups to securely manage traffic on Application Load Balancer (ALB) instances. This topic also provides related security policies and configuration suggestions.

    Prerequisites

    Note

    An ACK dedicated cluster accesses services by using an ALB Ingress. Before you deploy services, you must authorize the Container Service for Kubernetes (ACK) dedicated cluster to access the ALB Ingress controller.

    Usage notes

    When you configure a security group, take note of the following items.

    Important

    Upgraded ALB instances support both security groups and access control lists (ACLs) to control incoming traffic, while non-upgraded ALB instances support only ACLs. If you want to use security groups for ALB, create ALB instances, which are the upgraded version by default, or contact your account manager to apply for an upgrade on your existing non-upgraded instances.

    • Compatibility

      You cannot use security groups and access control lists (ACLs) for the same ALB instance. You cannot directly switch between security groups and ACLs. If you want to switch, you must unbind the current configuration and save the AlbConfig. After the changing is complete, add an ACL or security group.

    • Update logic

      For example, you want to change the security group sg-1, sg-2, and sg-3 to sg-3, sg-4, and sg-5. ALB Ingress controller will add and bind sg-4 and sg-5, and then unbind sg-1 and sg-2. Control the number of updates per time to avoid exceeding the quota limit.

    • Type and quota

      Category

      Security group type

      Description

      Security groups supported by ALB

      • Basic security groups

      • Advanced security groups

      • The security group must be in a virtual private cloud (VPC), and the security group and ALB instance must be in the same VPC.

      • The security group and security group rule quotas for an ALB instance are related to the quotas for backend Elastic Compute Service (ECS) instances associated with the ALB instance:

        • Maximum number of security groups that an ALB instance can be added to = Security group quota for all backend ECS instances (or elastic network interfaces (ENIs)) - 1 (which is taken by the managed security group)

        • Maximum number of effective security group rules for an ALB instance = Security group rule quota for all backend ECS instances or ENIs - Number of security group rules in the managed security group for the ALB instance

      • The security groups that an ALB instance is added to must be of the same type. The same ALB instance cannot be added to a basic security group and an advanced security group at the same time.

        To add an ALB instance in a basic security group to an advanced security group, remove the ALB instance from the basic security group before you can add the ALB instance to an advanced security group. To add an ALB instance in an advanced security group, remove the ALB instance from all basic security groups first.

      For more information about basic security groups and advanced security groups, see Basic security groups and advanced security groups.

      Security groups not supported by ALB

      Managed security group

      For more information about managed security groups, see Managed security groups.

    • Security group behavior

      • After the ALB instance is added to a security group which does not contain Deny rules, the listener ports of the ALB instance allow all requests by default.

      • If you want to allow only specific IP addresses to access the ALB instance, you must add a Deny rule. For more information, see Scenarios.

    • Suggestions on configuring security policies for backend services

      You can configure security policies for nodes, elastic network interfaces (ENIs), and pods in an ACK cluster. We recommend that you enable the CIDR block of the vSwitch to which the ALB instance belongs to ensure normal communication with backend services.

    Procedure

    Before you create or update the security group of an AlbConfig, you must obtain the ID of the security group to which security rules are added.

    1. Run the following command to obtain the ID of the security group:

      1. Log on to the ECS console.

      2. In the left-side navigation pane, choose Network & Security > Security Groups.

      3. In the upper-left corner of the top navigation bar, select the resource group to which the resource belongs and the region in which the resource resides.

      4. Copy and save the ID of the security group.

    2. Creates or updates an AlbConfig.

      You can add the securityGroupIds field to the AlbConfig and configure the ID of the security group that you copied and saved. The following example shows the configuration. To configure multiple security groups, you can specify the number of security groups that you can add based on the security group type and quota. 

      apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    name: alb-test
    addressType: Intranet
    zoneMappings:
    - vSwitchId: vsw-uf6k2yoy*************
    - vSwitchId: vsw-uf6pv7wg*************
    securityGroupIds: # Configure the fields of the security group. 
      - sg-uf6blkp8************ # The ID of the security group. 
      - sg-djladhla************ # The ID of the security group. 
    addressAllocatedMode: Fixed
  listeners:
    - port: 80
      protocol: HTTP