A security group is used as a virtual firewall for your Network Load Balancer (NLB) instances to manage inbound traffic and outbound traffic and improve resource security. Security groups provide Stateful Packet Inspection (SPI) and packet filtering capabilities. This topic describes how to add an NLB instance to a security group and how to remove an NLB instance from a security group. This topic also describes the scenarios and the limits on security groups.

Scenarios

If an NLB instance is not added to a security group, all requests are allowed on the listening port of the NLB instance by default.

If your NLB instance has access control requirements and you want to control the inbound traffic of the NLB instance, you can add the NLB instance to a security group and configure security group rules based on your business requirements.
Important The outbound traffic of an NLB instance is the return packets of user requests. To ensure that your service is not affected, NLB security groups do not impose limits on outbound traffic. You do not need to configure outbound rules for security groups.

Limits

  • NLB instances cannot be added to managed security groups or advanced security groups. For more information about managed security groups, see Managed security groups.
  • NLB instances can be added to only security groups in virtual private clouds (VPCs). The security groups and the NLB instances must belong to the same VPC.
  • An NLB instance can be added to at most four security groups.
  • NLB instances created during the public preview cannot be added to a security group. To use the security group feature, replace the NLB instances or purchase new NLB instances.

Prerequisites

Add an instance to a security group

You can add an NLB instance to a security group to allow or deny access from the NLB instance to the Internet or private networks.

  1. Log on to the NLB console.
  2. In the top navigation bar, select the region of the NLB instance.
  3. On the Instances page, find the NLB instance that you want to manage and click its ID. On the instance details page, click the Security Groups tab.
  4. On the Security Groups tab, click Create Security Group. In the Add NLB Instance to Security Group dialog box, select one or more security groups and click OK.
    You can add an NLB instance to at most four security groups. To create a security group, click Create Security Group from the Security Groups drop-down list. For more information, see Create a security group.
  5. In the left-side navigation pane, click the ID of the security group that you want to manage. You can click the Inbound Policies or Outbound Policies tab to view the security group rules.
    To modify an inbound rule of a security group, click the security group ID in the Basic Information section, or click ECS Console in the upper-right corner of the Security Groups tab to go to the Security Group Rules page. For more information about how to modify security group rules in the ECS console, see Modify security group rules.

Remove an NLB instance from a security group

You can remove an NLB instance from a security group based on your business requirements. You cannot remove an NLB instance from multiple security groups at a time in the console.

  1. Log on to the NLB console.
  2. In the top navigation bar, select the region of the NLB instance.
  3. On the Instances page, find the NLB instance that you want to manage and click its ID. On the instance details page, click the Security Groups tab.
  4. On the Security Groups tab, click the ID of the security group that you want to manage. Then, click Remove in the upper-right corner.
  5. In the Remove message, click OK.

References