Manage traffic on Application Load Balancer (ALB) instances by attaching security groups through the AlbConfig custom resource. Security groups provide an alternative to access control lists (ACLs) for controlling network access.
Prerequisites
Before you begin, make sure that you have:
A security group with rules configured
ALB Ingress controller 2.15.0 or later installed in your cluster
If you use an ACK dedicated cluster with ALB Ingress, authorize the cluster to access the ALB Ingress controller before you deploy services.
Add security groups to the AlbConfig
Step 1: Get the security group ID
Log on to the ECS console.
In the left-side navigation pane, choose Network & Security > Security Groups.
In the upper-left corner of the top navigation bar, select the resource group and region.
Copy the security group ID.
Step 2: Add security groups to the AlbConfig
Add the securityGroupIds field under spec.config in your AlbConfig manifest. Specify one or more security group IDs based on your quota and security group type.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
name: alb-test
addressType: Intranet
zoneMappings:
- vSwitchId: vsw-uf6k2yoy*************
- vSwitchId: vsw-uf6pv7wg*************
securityGroupIds: # Security group IDs
- sg-uf6blkp8************ # First security group
- sg-djladhla************ # Second security group
addressAllocatedMode: Fixed
listeners:
- port: 80
protocol: HTTP| Field | Type | Description |
|---|---|---|
securityGroupIds | String array | List of security group IDs to attach to the ALB instance. All security groups must be in the same VPC as the ALB instance and of the same type (all basic or all advanced). |
Apply the AlbConfig:
kubectl apply -f albconfig.yamlStep 3: Verify the configuration
Run the following command to check the AlbConfig:
kubectl get albconfig alb -o yamlVerify that the output includes the security group IDs you specified under spec.config.securityGroupIds.
Constraints and behavior
ALB instance requirements
Upgraded ALB instances support both security groups and ACLs. Non-upgraded ALB instances support only ACLs. New ALB instances are the upgraded version by default. To upgrade existing non-upgraded instances, contact your account manager.
Security group and ACL mutual exclusion
Security groups and ACLs cannot coexist on the same ALB instance. To switch between them:
Remove the current configuration (security group or ACL) from the AlbConfig.
Save the AlbConfig and wait for the change to take effect.
Add the new configuration.
Supported security group types
ALB supports basic security groups and advanced security groups. Managed security groups are not supported. For details, see Basic security groups and advanced security groups.
| Constraint | Description |
|---|---|
| Same VPC | The security group and the ALB instance must belong to the same virtual private cloud (VPC). |
| Same type | All security groups attached to an ALB instance must be of the same type. To switch from basic to advanced security groups (or vice versa), remove the ALB instance from all existing security groups first. |
| Quota: security groups | Maximum security groups per ALB instance = Security group quota for all backend Elastic Compute Service (ECS) instances or elastic network interfaces (ENIs) minus 1 (reserved for the managed security group). |
| Quota: rules | Maximum effective rules per ALB instance = Security group rule quota for all backend ECS instances or ENIs minus the number of rules in the ALB managed security group. |
Update behavior
When you modify the securityGroupIds list, the ALB Ingress controller first binds the new security groups, then unbinds the removed ones. For example, changing from sg-1, sg-2, sg-3 to sg-3, sg-4, sg-5 results in the controller adding sg-4 and sg-5 before removing sg-1 and sg-2.
Control the number of changes per update to stay within the quota limit.
Default traffic behavior
After an ALB instance joins a security group without Deny rules, all listener ports allow all traffic by default. To restrict access to specific IP addresses, add a Deny rule. Do not configure outbound Deny rules in security groups for ALB instances to avoid service interruptions. For more information, see Scenarios.
Backend service connectivity
Configure security policies for nodes, ENIs, and pods in the ACK cluster to allow traffic from the ALB instance. Allow the CIDR block of the vSwitch to which the ALB instance belongs in the backend security group rules to maintain connectivity with backend services.