Security groups let you control inbound traffic to a Network Load Balancer (NLB) instance based on protocols, ports, and IP addresses. This page explains how to add an NLB instance to a security group and remove it, along with key behaviors and constraints.
How it works
By default—whether or not the NLB instance is associated with a security group—its listener ports accept all inbound requests. Adding a security group with only Allow rules does not change this behavior. To restrict access to specific IP addresses, add at least one Deny rule to the security group.
NLB security groups apply to inbound traffic only. Outbound traffic (responses to client requests) is never restricted, so no outbound rules are required.
Managed security group
When you create an NLB instance, the system automatically creates a managed security group in the same virtual private cloud (VPC). This security group is read-only—you can view its rules but cannot modify them.
The managed security group contains the following rules:
Priority | Action | Protocol | Source | Port range | Description |
1 | Allow | All | NLB local IP addresses | All | Enables communication between the NLB instance and its backend servers, and allows health check traffic |
100 | Allow | All | 0.0.0.0/0 | All | Allows all inbound traffic by default |
(invisible) | Deny | All | 0.0.0.0/0 | All | Default deny-all rule built into basic and advanced security groups; the priority-100 Allow rule takes precedence |
Do not add Deny rules with priority 1 that target the NLB local IP addresses. Such rules conflict with the managed security group and can disrupt communication between the NLB instance and its backend servers. To check the local IP addresses of your NLB instance, log on to the NLB console.
Limitations
Item | Details |
Supported security group types | Basic security group, advanced security group |
Unsupported security group type | Managed security group |
Same VPC required | The security group and the NLB instance must belong to the same VPC |
Maximum number of security groups | Up to 4 security groups per NLB instance |
Mixed types not allowed | All security groups associated with an NLB instance must be of the same type. To switch from basic to advanced, remove the NLB instance from the basic security group first. To switch from advanced to basic, remove the NLB instance from the advanced security group first |
Quota calculation | Available security group slots = ENI security group quota for ECS − 1 (reserved for the managed security group) |
Security group rule quota | Available rule slots = ENI security group rule quota for ECS − number of rules in the managed security group |
Legacy instances | NLB instances created before September 30, 2022 (during the public preview) cannot be added to security groups. Replace these instances or purchase new ones to use this feature |
For details on basic and advanced security group differences, see Basic and advanced security groups.
Prerequisites
Before you begin, ensure that you have:
An NLB instance with at least one listener configured. See Create and manage NLB instances
A security group with the required rules. See Security groups.
Add an NLB instance to a security group
Log on to the NLB console.
In the top navigation bar, select the region where your NLB instance is deployed.
On the Instances page, click the instance ID. On the Instance Details tab, click the Security Groups tab.
Click Create Security Group. In the Add NLB Instance to Security Group dialog box, select one or more security groups, then click OK. To create a new security group from this page, click Create Security Group from the Security Groups drop-down list. An NLB instance can be added to at most four security groups.
To view the rules of an associated security group, click its ID in the left-side navigation pane, then select the Inbound Policies or Outbound Policies tab. To modify inbound rules, click the security group ID in the Basic Information section, or click ECS Console in the upper-right corner of the Security Groups tab to go to the Security Group Details page in the Elastic Compute Service (ECS) console. See Modify a security group rule.
Remove an NLB instance from a security group
You can only remove one security group at a time from the console.
Log on to the NLB console.
In the top navigation bar, select the region where your NLB instance is deployed.
On the Instances page, click the instance ID. On the Instance Details tab, click the Security Groups tab.
Click the ID of the security group to remove, then click Remove in the upper-right corner.
In the Remove dialog box, click OK.
API operations
Use the following API operations to manage security group associations programmatically:
Operation | Description | Example |
Adds an NLB instance to a security group | See linked API reference for request parameters and examples | |
Removes an NLB instance from a security group | See linked API reference for request parameters and examples |
What's next
Configure IP-based access control: Use security groups as blacklists or whitelists
Configure protocol- and port-based access control: Control NLB listener access with security groups
Learn about security group types: Security group types