All Products
Search
Document Center

Server Load Balancer:Add an NLB instance to a security group

Last Updated:Jun 29, 2026

Security groups let you control inbound traffic to a Network Load Balancer (NLB) instance based on protocols, ports, and IP addresses. This page explains how to add an NLB instance to a security group and remove it, along with key behaviors and constraints.

How it works

By default—whether or not the NLB instance is associated with a security group—its listener ports accept all inbound requests. Adding a security group with only Allow rules does not change this behavior. To restrict access to specific IP addresses, add at least one Deny rule to the security group.

NLB security groups apply to inbound traffic only. Outbound traffic (responses to client requests) is never restricted, so no outbound rules are required.

Managed security group

When you create an NLB instance, the system automatically creates a managed security group in the same virtual private cloud (VPC). This security group is read-only—you can view its rules but cannot modify them.

The managed security group contains the following rules:

Priority

Action

Protocol

Source

Port range

Description

1

Allow

All

NLB local IP addresses

All

Enables communication between the NLB instance and its backend servers, and allows health check traffic

100

Allow

All

0.0.0.0/0

All

Allows all inbound traffic by default

(invisible)

Deny

All

0.0.0.0/0

All

Default deny-all rule built into basic and advanced security groups; the priority-100 Allow rule takes precedence

Important

Do not add Deny rules with priority 1 that target the NLB local IP addresses. Such rules conflict with the managed security group and can disrupt communication between the NLB instance and its backend servers. To check the local IP addresses of your NLB instance, log on to the NLB console.

Limitations

Item

Details

Supported security group types

Basic security group, advanced security group

Unsupported security group type

Managed security group

Same VPC required

The security group and the NLB instance must belong to the same VPC

Maximum number of security groups

Up to 4 security groups per NLB instance

Mixed types not allowed

All security groups associated with an NLB instance must be of the same type. To switch from basic to advanced, remove the NLB instance from the basic security group first. To switch from advanced to basic, remove the NLB instance from the advanced security group first

Quota calculation

Available security group slots = ENI security group quota for ECS − 1 (reserved for the managed security group)

Security group rule quota

Available rule slots = ENI security group rule quota for ECS − number of rules in the managed security group

Legacy instances

NLB instances created before September 30, 2022 (during the public preview) cannot be added to security groups. Replace these instances or purchase new ones to use this feature

For details on basic and advanced security group differences, see Basic and advanced security groups.

Prerequisites

Before you begin, ensure that you have:

Add an NLB instance to a security group

  1. Log on to the NLB console.

  2. In the top navigation bar, select the region where your NLB instance is deployed.

  3. On the Instances page, click the instance ID. On the Instance Details tab, click the Security Groups tab.

  4. Click Create Security Group. In the Add NLB Instance to Security Group dialog box, select one or more security groups, then click OK. To create a new security group from this page, click Create Security Group from the Security Groups drop-down list. An NLB instance can be added to at most four security groups.

  5. To view the rules of an associated security group, click its ID in the left-side navigation pane, then select the Inbound Policies or Outbound Policies tab. To modify inbound rules, click the security group ID in the Basic Information section, or click ECS Console in the upper-right corner of the Security Groups tab to go to the Security Group Details page in the Elastic Compute Service (ECS) console. See Modify a security group rule.

Remove an NLB instance from a security group

You can only remove one security group at a time from the console.

  1. Log on to the NLB console.

  2. In the top navigation bar, select the region where your NLB instance is deployed.

  3. On the Instances page, click the instance ID. On the Instance Details tab, click the Security Groups tab.

  4. Click the ID of the security group to remove, then click Remove in the upper-right corner.

  5. In the Remove dialog box, click OK.

API operations

Use the following API operations to manage security group associations programmatically:

Operation

Description

Example

LoadBalancerJoinSecurityGroup

Adds an NLB instance to a security group

See linked API reference for request parameters and examples

LoadBalancerLeaveSecurityGroup

Removes an NLB instance from a security group

See linked API reference for request parameters and examples

What's next