Implement port-level access control with security groups
To control access to an Application Load Balancer (ALB) instance, configure a security group. Unlike access control lists (ACLs), ALB security groups support access control by protocol and port, and provide access control policies for IPv6 addresses.
Scenarios
If an ALB instance is not associated with a security group, its listener ports allow all inbound requests by default.
When an ALB instance is associated with a security group but no deny policy is configured, the ALB listener ports allow all inbound requests by default. To allow access only from specific IP addresses, add a deny policy as a catch-all rule.
To deny or allow access to an ALB instance from specific IP addresses, see Use security groups as blacklists or whitelists.
To implement protocol- or port-based access control for an ALB instance, see Implement port-level access control with security groups.
If your ALB instance requires access control and you want to control the inbound traffic of the ALB instance, you can add a security group to the ALB instance and configure corresponding security group rules based on your business requirements.
The outbound traffic from a load balancer consists of responses to client requests. To ensure normal business operations, the security group for an ALB instance does not restrict outbound traffic. You do not need to configure outbound rules for the security group.
After an ALB instance is created, the system automatically generates a Managed security groupsin the instance's VPC. This security group is managed by the ALB instance, and you have only view permissions. The ALB managed security group includes the following two types of security group rules:
A rule with a priority of 1: By default, allows traffic from the local IP address, which is used for communication with backend servers.
When adding security group rules, do not add a deny policy with a priority of 1 for the local IP address of the ALB instance. This would conflict with the managed security group policy and disrupt communication between the ALB instance and your backend servers. You can find the local IP address on the instance details page in the Application Load Balancer (ALB) console.
A rule with a priority of 100: By default, allows traffic from all IP addresses.
The Default access control rules(not visible) of a basic or enterprise security group include a rule that denies all other traffic. However, the default allow rule of the managed security group takes precedence.
The following three scenarios describe how a security group controls port access for an associated ALB instance. In these examples, the ALB instance has an HTTP listener on port 80 and another on port 81.
Scenario | Security group rule | Expected result | Related link |
ALB instance is not associated with a security group. | ALB listener ports allow all inbound requests by default. |
| Step 5: Do not associate the ALB instance with a security group and verify the result |
ALB instance is associated with a security group. | Deny access to HTTP port 81. Note Only relevant security group rules are listed; other default rules are omitted. |
| Step 6: Associate the ALB instance with a security group and verify the result |
Modify the security group associated with the ALB instance. |
Note Only relevant security group rules are listed; other default rules are omitted. |
|
Limitations
You can manage access traffic for ALB instance upgradewith security groups or access control lists (ACLs). Older ALB instances support access control only with ACLs. If you need to use security groups, create a new instance or contact your account manager to request an upgrade for an existing instance.
Category | Security group type | Description |
ALB-supported security groups |
|
For more information about basic and enterprise security groups, see Basic and advanced security groups. |
ALB-unsupported security groups | managed security group | For more information about managed security groups, see Managed security groups. |
Prerequisites
You have created a Virtual Private Cloud (VPC) named VPC1. For more information, see Create and manage a VPC.
You have created two Elastic Compute Service (ECS) instances, ECS01 and ECS02, in VPC1. These instances serve as backend servers for an Application Load Balancer (ALB) instance, and you have deployed a different application on each.
To create an ECS instance, see Create an instance by using the custom launch tab.
To test a security group's access control for IPv6 traffic, ensure that ECS01 and ECS02 support IPv6 communication.
The following example demonstrates how to deploy the test applications on ECS01 and ECS02:
You have registered a domain name and completed the required ICP filing. For more information, see Register an Alibaba Cloud domain name and ICP filing.
Steps
Step 1: Create a server group
Log on to the ALB console.
In the top navigation bar, select a region. This topic uses China (Hangzhou) as an example.
In the left-side navigation pane, choose .
On the Server Groups page, click Create Server Group.
In the Create Server Group dialog box, configure the following parameters and click Create.
This section describes only the key parameters. Accept the default values for the others. For more information, see Create and manage server groups.
Parameter
Description
Server Group Type
Select Server.
Server Group Name
Enter a server group name.
VPC
Select VPC1.
Backend Protocol
Select HTTP.
Scheduling Algorithm
Select Weighted Round-robin.
In the The server group is created dialog box, click Add Backend Server.
On the Backend Servers tab, click Add Backend Server.
In the Add Backend Server panel, select the ECS01 and ECS02 instances, and click Next.
Set the ports and weights for the backend servers, and click OK.
Step 2: Create an ALB instance and listeners
Log on to the ALB console.
On the Instances page, click Create ALB.
On the purchase page, configure the following parameters.
This tutorial describes only the relevant parameters. Leave all other parameters at their default values. For more information about the parameters, see Create and manage ALB instances.
Region: Select China (Hangzhou).
Network Type: Select Public.
VPC: Select the VPC1 you created.
IP Version: The default value is IPv4. Select Dual-stack to allow clients to access the instance by using both IPv4 and IPv6 addresses.
Click Buy Now and follow the on-screen instructions to complete the purchase.
Return to the Instances page, find the ALB instance you created, and click its ID.
Click the Listener tab, and then click Quick Create Listener.
In the Quick Create Listener dialog box, configure the following parameters to create an HTTP listener on port 80, and then click OK.
Parameter
Description
Listener Protocol
The protocol used by the listener. For this tutorial, select HTTP.
Listener Port
The port used by the listener. For this tutorial, enter 80.
Server Group
Select the Server you created.
On the Listener tab, click Quick Create Listener again.
In the Quick Create Listener dialog box, configure the following parameters to create an HTTP listener on port 81, and then click OK.
Parameter
Description
Listener Protocol
The protocol used by the listener. For this tutorial, select HTTP.
Listener Port
The port used by the listener. For this tutorial, enter 81.
Server Group
Select the Server you created.
Step 3: Configure domain name resolution
For production, we recommend mapping a custom domain name to the ALB instance's domain name by creating a CNAME record.
-
In the left-side navigation pane, choose .
-
On the Instances page, copy the DNS name of the created ALB instance.
-
Follow these steps to add a CNAME record.
NoteIf your domain name is registered by a provider other than Alibaba Cloud, you must add the domain name to the Alibaba Cloud DNS console before you can configure DNS resolution. For more information, see Manage domain names. If your domain name is registered with Alibaba Cloud, proceed with the following steps.
-
Log on to the Alibaba Cloud DNS console.
-
On the Authoritative DNS Resolution page, find the target domain name, and click Settings in the Operations column.
-
On the Settings page, click Add Record.
-
In the Add Record panel, configure the CNAME record by setting the following parameters, and then click OK.
Parameter
Description
Record Type
Select CNAME from the drop-down list.
Hostname
The prefix of your domain name. This tutorial uses @.
NoteTo use a root domain, set the hostname to
@.Query Source
Select Default.
Record Value
Enter the DNS name of the ALB instance that you copied.
TTL
Time to live (TTL) is the duration that a DNS record is cached on a DNS server. Use the default value.
-
Step 4: Create a security group
To add an ALB instance to a security group, you must first create the security group in the ECS console.
Log on to the ECS console.
In the left-side navigation pane, choose Network & Security > Security Groups.
In the top navigation bar, select a region. This topic uses China (Hangzhou) as an example.
On the Security Groups page, click Create Security Group.
On the Create Security Group page, configure the parameters in the Basic Information section.
This topic lists only the relevant parameters. For information about other parameters, see Create a security group.
Network: Select the VPC that you created.
security group type: Select basic security group.
Configure the access rule parameters for the new security group.
On the Inbound tab, click Add Rule twice.
Add the rules from the following table, and then click Create Security Group.
Parameter
Rule 1: Deny IPv4 and IPv6 traffic to port 81
(Optional) Rule 2: Allow IPv6 traffic to port 80
Action
Select Deny.
Select Allow.
Priority
Keep the default value 1.
Protocol type
Select custom TCP.
NoteWhen you configure a security group rule for a QUIC listener, select custom UDP as the protocol type.
Port range
Enter port number 81.
Select port number HTTP(80).
Source
Select
All IPv4 addresses (0.0.0.0/0)andAll IPv6 addresses (::/0).Select
All IPv6 addresses (::/0).Description
Enter a description for the security group rule.
Step 5: Verify connectivity without a security group
Test connectivity between your client and the ECS01 and ECS02 instances.
This example uses a client with public internet access. To test the security group's access control for IPv6 addresses, make sure your client supports public IPv6 communication.
Open a command-line window and run
curl -4 http://<custom_domain_name>:80. The output shows that IPv4 clients can access the ALB instance over HTTP on port 80.C:\Users\Administrator>curl -4 http://<custom_domain_name>:80 Hello World ! This is ECS02.Run
curl -4 http://<custom_domain_name>:81. The output shows that IPv4 clients can access the ALB instance over HTTP on port 81.C:\Users\Administrator>curl -4 http://<custom_domain_name>:81 Hello World ! This is ECS01.(Optional) Run
curl -6 http://<custom_domain_name>:80. The output shows that IPv6 clients can access the ALB instance over HTTP on port 80.C:\Users\Administrator>curl -6 http://<custom_domain_name>:80 Hello World ! This is ECS02.(Optional) Run
curl -6 http://<custom_domain_name>:81. The output shows that IPv6 clients can access the ALB instance over HTTP on port 81.C:\Users\Administrator>curl -6 http://<custom_domain_name>:81 Hello World ! This is ECS01.
Step 6: Add the ALB instance to a security group and verify
Add the ALB instance to a security group and verify that the security group controls access to the ALB instance's ports.
Log on to the ALB console.
On the Instances page, find the target ALB instance and click its ID. On the instance details page, click the Security Groups tab.
On the Security Groups tab, click Create Security Group. In the Add ALB to Security Group dialog box, select the security group you created in Step 4: Create a security group and click OK.
In the left pane, click the ID of the target security group. Click the Inbound Policies or Outbound Policies tab to view the security group rules.
This section lists only the inbound security group rules relevant to this topic. The rules for the ALB instance are as follows:
Policy
Priority
Protocol
Destination
Source
Allow
1
Custom TCP
Destination: 80/80Source: All IPv4 (0.0.0.0/0)Allow
1
Custom TCP
Destination: 80/80Source: All IPv6 (::/0)Deny
1
Custom TCP
Destination: 81/81Source: All IPv4 (0.0.0.0/0)Deny
1
Custom TCP
Destination: 81/81Source: All IPv6 (::/0)After adding the ALB instance to the security group, test access to the instance.
From a client command line, run
curl -4 http://<custom_domain_name>:80. The following output indicates that IPv4 clients can access the ALB instance over HTTP on port 80.C:\Users\Administrator>curl -4 http://<custom_domain_name>:80 Hello World ! This is ECS01.(Optional) Run
curl -6 http://<custom_domain_name>:80. The following output indicates that IPv6 clients can access the ALB instance over HTTP on port 80.C:\Users\Administrator>curl -6 http://<custom_domain_name>:80 Hello World ! This is ECS02.Run
curl -4 http://<custom_domain_name>:81. The connection fails, which confirms that the security group rule denying access to port 81 is in effect for IPv4 clients.C:\Users\Administrator>curl -4 http://<custom_domain_name>:81 curl: (28) Failed to connect to <custom_domain_name> port 81 after 42076 ms: Could not connect to server(Optional) Run
curl -6 http://<custom_domain_name>:81. The connection fails, which confirms that the security group rule denying access to port 81 is in effect for IPv6 clients.C:\Users\Administrator>curl -6 http://<custom_domain_name>:81 curl: (28) Failed to connect to <custom_domain_name> port 81 after 42121 ms: Could not connect to server
Step 7: Modify and verify the security group
Modify the security group rules and verify that they control access to the ALB instance ports.
Return to the ALB Instances page, find the target ALB instance, and click its instance ID. On the Instance Details tab, click the Security Groups tab.
In the Basic Information section, click the security group ID. Alternatively, in the upper-right corner of the Security Groups tab, click ECS Console to open the Security Group Rules page and modify the rules.
On the Security Group Rules page, find the rule that allows access to TCP port 80. In the Actions column, click Modify. Set the Policy to Deny, and then click Save.
The following table lists the updated security group rules relevant to this topic.
Policy
Priority
Protocol
Port range
Source
Deny
1
Custom TCP
Destination: 80/80Source: All IPv4 (0.0.0.0/0)Deny
1
Custom TCP
Destination: 80/80Source: All IPv6 (::/0)Deny
1
Custom TCP
Destination: 81/81Source: All IPv4 (0.0.0.0/0)Deny
1
Custom TCP
Destination: 81/81Source: All IPv6 (::/0)After modifying the security group rules for the ALB instance, test access.
In your client's command-line window, run the command
curl -4 http://<custom_domain_name>:80. The following output indicates that IPv4 clients cannot access port 80 over HTTP, confirming that the security group rule for port 80 is working.C:\Users\Administrator>curl -4 http://<custom_domain_name>:80 curl: (28) Failed to connect to <custom_domain_name> port 80 after 42020 ms: Could not connect to server(Optional) Run the command
curl -6 http://<custom_domain_name>:80. The following output indicates that IPv6 clients cannot access port 80 over HTTP, confirming that the security group rule for port 80 is working.C:\Users\Administrator>curl -6 http://<custom_domain_name>:80 curl: (28) Failed to connect to <custom_domain_name> port 80 after 42077 ms: Could not connect to serverRun the command
curl -4 http://<custom_domain_name>:81. The following output indicates that IPv4 clients cannot access port 81 over HTTP, confirming that the security group rule for port 81 is working.C:\Users\Administrator>curl -4 http://<custom_domain_name>:81 curl: (28) Failed to connect to <custom_domain_name> port 81 after 42095 ms: Could not connect to server(Optional) Run the command
curl -6 http://<custom_domain_name>:81. The following output indicates that IPv6 clients cannot access port 81 over HTTP, confirming that the security group rule for port 81 is working.C:\Users\Administrator>curl -6 http://<custom_domain_name>:81 curl: (28) Failed to connect to <custom_domain_name> port 81 after 42095 ms: Could not connect to server
References
Console
To associate a security group with or disassociate a security group from an ALB instance, see Associate an ALB instance with a security group.
To create an allowlist or a blocklist for an ALB instance using a security group, see Configure a security group for an ALB instance to implement an allowlist or blocklist.
For more information about basic security groups and enterprise security groups, see Basic security groups and enterprise security groups.
API
LoadBalancerJoinSecurityGroup: Associates a security group with an Application Load Balancer instance.
LoadBalancerLeaveSecurityGroup: Disassociates a security group from an Application Load Balancer instance.