Implement port-level access control with security groups

Updated at:
Copy as MD

To control access to an Application Load Balancer (ALB) instance, configure a security group. Unlike access control lists (ACLs), ALB security groups support access control by protocol and port, and provide access control policies for IPv6 addresses.

Scenarios

  • If an ALB instance is not associated with a security group, its listener ports allow all inbound requests by default.

  • When an ALB instance is associated with a security group but no deny policy is configured, the ALB listener ports allow all inbound requests by default. To allow access only from specific IP addresses, add a deny policy as a catch-all rule.

If your ALB instance requires access control and you want to control the inbound traffic of the ALB instance, you can add a security group to the ALB instance and configure corresponding security group rules based on your business requirements.

Important
  • The outbound traffic from a load balancer consists of responses to client requests. To ensure normal business operations, the security group for an ALB instance does not restrict outbound traffic. You do not need to configure outbound rules for the security group.

  • After an ALB instance is created, the system automatically generates a Managed security groupsin the instance's VPC. This security group is managed by the ALB instance, and you have only view permissions. The ALB managed security group includes the following two types of security group rules:

    • A rule with a priority of 1: By default, allows traffic from the local IP address, which is used for communication with backend servers.

      When adding security group rules, do not add a deny policy with a priority of 1 for the local IP address of the ALB instance. This would conflict with the managed security group policy and disrupt communication between the ALB instance and your backend servers. You can find the local IP address on the instance details page in the Application Load Balancer (ALB) console.

    • A rule with a priority of 100: By default, allows traffic from all IP addresses.

      The Default access control rules(not visible) of a basic or enterprise security group include a rule that denies all other traffic. However, the default allow rule of the managed security group takes precedence.

The following three scenarios describe how a security group controls port access for an associated ALB instance. In these examples, the ALB instance has an HTTP listener on port 80 and another on port 81.

Scenario

Security group rule

Expected result

Related link

ALB instance is not associated with a security group.

ALB listener ports allow all inbound requests by default.

  • Clients can access HTTP port 80 of the ALB instance.

  • Clients can access HTTP port 81 of the ALB instance.

Step 5: Do not associate the ALB instance with a security group and verify the result

ALB instance is associated with a security group.

Deny access to HTTP port 81.

Note

Only relevant security group rules are listed; other default rules are omitted.

  • Clients can access HTTP port 80 of the ALB instance.

  • Clients cannot access HTTP port 81 of the ALB instance.

Step 6: Associate the ALB instance with a security group and verify the result

Modify the security group associated with the ALB instance.

  • Deny access to HTTP port 80.

  • Deny access to HTTP port 81.

Note

Only relevant security group rules are listed; other default rules are omitted.

  • Clients cannot access HTTP port 80 of the ALB instance.

  • Clients cannot access HTTP port 81 of the ALB instance.

Step 7: Modify the security group and verify the result

Limitations

Important

You can manage access traffic for ALB instance upgradewith security groups or access control lists (ACLs). Older ALB instances support access control only with ACLs. If you need to use security groups, create a new instance or contact your account manager to request an upgrade for an existing instance.

Category

Security group type

Description

ALB-supported security groups

  • basic security group

  • enterprise security group

  • The security group must be of the VPC type. Both the security group and the ALB instance must be in the same Virtual Private Cloud (VPC).

  • The quotas for associating security groups and configuring rules for an ALB instance are based on those for an Elastic Compute Service (ECS) instance or an elastic network interface:

  • You can associate an ALB instance only with security groups of the same type. You cannot associate an ALB instance with both basic and enterprise security groups at the same time.

    If an ALB instance is already associated with basic security groups and you want to associate it with enterprise security groups, you must first unbind all basic security groups from the instance. The reverse also applies.

For more information about basic and enterprise security groups, see Basic and advanced security groups.

ALB-unsupported security groups

managed security group

For more information about managed security groups, see Managed security groups.

Prerequisites

  • You have created a Virtual Private Cloud (VPC) named VPC1. For more information, see Create and manage a VPC.

  • You have created two Elastic Compute Service (ECS) instances, ECS01 and ECS02, in VPC1. These instances serve as backend servers for an Application Load Balancer (ALB) instance, and you have deployed a different application on each.

    • To create an ECS instance, see Create an instance by using the custom launch tab.

      To test a security group's access control for IPv6 traffic, ensure that ECS01 and ECS02 support IPv6 communication.

    • The following example demonstrates how to deploy the test applications on ECS01 and ECS02:

      Commands to deploy the application on ECS01

      yum install -y nginx
      systemctl start nginx.service
      cd /usr/share/nginx/html/
      echo "Hello World ! This is ECS01." > index.html

      Commands to deploy the application on ECS02

      yum install -y nginx
      systemctl start nginx.service
      cd /usr/share/nginx/html/
      echo "Hello World ! This is ECS02." > index.html

Steps

Step 1: Create a server group

  1. Log on to the ALB console.

  2. In the top navigation bar, select a region. This topic uses China (Hangzhou) as an example.

  3. In the left-side navigation pane, choose ALB > Server Groups.

  4. On the Server Groups page, click Create Server Group.

  5. In the Create Server Group dialog box, configure the following parameters and click Create.

    This section describes only the key parameters. Accept the default values for the others. For more information, see Create and manage server groups.

    Parameter

    Description

    Server Group Type

    Select Server.

    Server Group Name

    Enter a server group name.

    VPC

    Select VPC1.

    Backend Protocol

    Select HTTP.

    Scheduling Algorithm

    Select Weighted Round-robin.

  6. In the The server group is created dialog box, click Add Backend Server.

  7. On the Backend Servers tab, click Add Backend Server.

  8. In the Add Backend Server panel, select the ECS01 and ECS02 instances, and click Next.

  9. Set the ports and weights for the backend servers, and click OK.

Step 2: Create an ALB instance and listeners

  1. Log on to the ALB console.

  2. On the Instances page, click Create ALB.

  3. On the purchase page, configure the following parameters.

    This tutorial describes only the relevant parameters. Leave all other parameters at their default values. For more information about the parameters, see Create and manage ALB instances.

    • Region: Select China (Hangzhou).

    • Network Type: Select Public.

    • VPC: Select the VPC1 you created.

    • IP Version: The default value is IPv4. Select Dual-stack to allow clients to access the instance by using both IPv4 and IPv6 addresses.

  4. Click Buy Now and follow the on-screen instructions to complete the purchase.

  5. Return to the Instances page, find the ALB instance you created, and click its ID.

  6. Click the Listener tab, and then click Quick Create Listener.

  7. In the Quick Create Listener dialog box, configure the following parameters to create an HTTP listener on port 80, and then click OK.

    Parameter

    Description

    Listener Protocol

    The protocol used by the listener. For this tutorial, select HTTP.

    Listener Port

    The port used by the listener. For this tutorial, enter 80.

    Server Group

    Select the Server you created.

  8. On the Listener tab, click Quick Create Listener again.

  9. In the Quick Create Listener dialog box, configure the following parameters to create an HTTP listener on port 81, and then click OK.

    Parameter

    Description

    Listener Protocol

    The protocol used by the listener. For this tutorial, select HTTP.

    Listener Port

    The port used by the listener. For this tutorial, enter 81.

    Server Group

    Select the Server you created.

Step 3: Configure domain name resolution

For production, we recommend mapping a custom domain name to the ALB instance's domain name by creating a CNAME record.

  1. In the left-side navigation pane, choose ALB > Instances.

  2. On the Instances page, copy the DNS name of the created ALB instance.

  3. Follow these steps to add a CNAME record.

    Note

    If your domain name is registered by a provider other than Alibaba Cloud, you must add the domain name to the Alibaba Cloud DNS console before you can configure DNS resolution. For more information, see Manage domain names. If your domain name is registered with Alibaba Cloud, proceed with the following steps.

    1. Log on to the Alibaba Cloud DNS console.

    2. On the Authoritative DNS Resolution page, find the target domain name, and click Settings in the Operations column.

    3. On the Settings page, click Add Record.

    4. In the Add Record panel, configure the CNAME record by setting the following parameters, and then click OK.

      Parameter

      Description

      Record Type

      Select CNAME from the drop-down list.

      Hostname

      The prefix of your domain name. This tutorial uses @.

      Note

      To use a root domain, set the hostname to @.

      Query Source

      Select Default.

      Record Value

      Enter the DNS name of the ALB instance that you copied.

      TTL

      Time to live (TTL) is the duration that a DNS record is cached on a DNS server. Use the default value.

Step 4: Create a security group

To add an ALB instance to a security group, you must first create the security group in the ECS console.

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Network & Security > Security Groups.

  3. In the top navigation bar, select a region. This topic uses China (Hangzhou) as an example.

  4. On the Security Groups page, click Create Security Group.

  5. On the Create Security Group page, configure the parameters in the Basic Information section.

    This topic lists only the relevant parameters. For information about other parameters, see Create a security group.

    • Network: Select the VPC that you created.

    • security group type: Select basic security group.

  6. Configure the access rule parameters for the new security group.

    1. On the Inbound tab, click Add Rule twice.

    2. Add the rules from the following table, and then click Create Security Group.

      Parameter

      Rule 1: Deny IPv4 and IPv6 traffic to port 81

      (Optional) Rule 2: Allow IPv6 traffic to port 80

      Action

      Select Deny.

      Select Allow.

      Priority

      Keep the default value 1.

      Protocol type

      Select custom TCP.

      Note

      When you configure a security group rule for a QUIC listener, select custom UDP as the protocol type.

      Port range

      Enter port number 81.

      Select port number HTTP(80).

      Source

      Select All IPv4 addresses (0.0.0.0/0) and All IPv6 addresses (::/0).

      Select All IPv6 addresses (::/0).

      Description

      Enter a description for the security group rule.

Step 5: Verify connectivity without a security group

Test connectivity between your client and the ECS01 and ECS02 instances.

This example uses a client with public internet access. To test the security group's access control for IPv6 addresses, make sure your client supports public IPv6 communication.

  1. Open a command-line window and run curl -4 http://<custom_domain_name>:80. The output shows that IPv4 clients can access the ALB instance over HTTP on port 80.

    C:\Users\Administrator>curl -4 http://&lt;custom_domain_name&gt;:80
    Hello World ! This is ECS02.
  2. Run curl -4 http://<custom_domain_name>:81. The output shows that IPv4 clients can access the ALB instance over HTTP on port 81.

    C:\Users\Administrator>curl -4 http://&lt;custom_domain_name&gt;:81
    Hello World ! This is ECS01.
  3. (Optional) Run curl -6 http://<custom_domain_name>:80. The output shows that IPv6 clients can access the ALB instance over HTTP on port 80.

    C:\Users\Administrator>curl -6 http://&lt;custom_domain_name&gt;:80
    Hello World ! This is ECS02.
  4. (Optional) Run curl -6 http://<custom_domain_name>:81. The output shows that IPv6 clients can access the ALB instance over HTTP on port 81.

    C:\Users\Administrator>curl -6 http://&lt;custom_domain_name&gt;:81
    Hello World ! This is ECS01.

Step 6: Add the ALB instance to a security group and verify

Add the ALB instance to a security group and verify that the security group controls access to the ALB instance's ports.

  1. Log on to the ALB console.

  2. On the Instances page, find the target ALB instance and click its ID. On the instance details page, click the Security Groups tab.

  3. On the Security Groups tab, click Create Security Group. In the Add ALB to Security Group dialog box, select the security group you created in Step 4: Create a security group and click OK.

  4. In the left pane, click the ID of the target security group. Click the Inbound Policies or Outbound Policies tab to view the security group rules.

    This section lists only the inbound security group rules relevant to this topic. The rules for the ALB instance are as follows:

    Policy

    Priority

    Protocol

    Destination

    Source

    Allow

    1

    Custom TCP

    Destination: 80/80

    Source: All IPv4 (0.0.0.0/0)

    Allow

    1

    Custom TCP

    Destination: 80/80

    Source: All IPv6 (::/0)

    Deny

    1

    Custom TCP

    Destination: 81/81

    Source: All IPv4 (0.0.0.0/0)

    Deny

    1

    Custom TCP

    Destination: 81/81

    Source: All IPv6 (::/0)

  5. After adding the ALB instance to the security group, test access to the instance.

    1. From a client command line, run curl -4 http://<custom_domain_name>:80. The following output indicates that IPv4 clients can access the ALB instance over HTTP on port 80.

      C:\Users\Administrator>curl -4 http://&lt;custom_domain_name&gt;:80
      Hello World ! This is ECS01.
    2. (Optional) Run curl -6 http://<custom_domain_name>:80. The following output indicates that IPv6 clients can access the ALB instance over HTTP on port 80.

      C:\Users\Administrator>curl -6 http://&lt;custom_domain_name&gt;:80
      Hello World ! This is ECS02.
    3. Run curl -4 http://<custom_domain_name>:81. The connection fails, which confirms that the security group rule denying access to port 81 is in effect for IPv4 clients.

      C:\Users\Administrator>curl -4 http://<custom_domain_name>:81
      curl: (28) Failed to connect to <custom_domain_name> port 81 after 42076 ms: Could not connect to server
    4. (Optional) Run curl -6 http://<custom_domain_name>:81. The connection fails, which confirms that the security group rule denying access to port 81 is in effect for IPv6 clients.

      C:\Users\Administrator>curl -6 http://<custom_domain_name>:81
      curl: (28) Failed to connect to <custom_domain_name> port 81 after 42121 ms: Could not connect to server

Step 7: Modify and verify the security group

Modify the security group rules and verify that they control access to the ALB instance ports.

  1. Return to the ALB Instances page, find the target ALB instance, and click its instance ID. On the Instance Details tab, click the Security Groups tab.

  2. In the Basic Information section, click the security group ID. Alternatively, in the upper-right corner of the Security Groups tab, click ECS Console to open the Security Group Rules page and modify the rules.

  3. On the Security Group Rules page, find the rule that allows access to TCP port 80. In the Actions column, click Modify. Set the Policy to Deny, and then click Save.

    The following table lists the updated security group rules relevant to this topic.

    Policy

    Priority

    Protocol

    Port range

    Source

    Deny

    1

    Custom TCP

    Destination: 80/80

    Source: All IPv4 (0.0.0.0/0)

    Deny

    1

    Custom TCP

    Destination: 80/80

    Source: All IPv6 (::/0)

    Deny

    1

    Custom TCP

    Destination: 81/81

    Source: All IPv4 (0.0.0.0/0)

    Deny

    1

    Custom TCP

    Destination: 81/81

    Source: All IPv6 (::/0)

  4. After modifying the security group rules for the ALB instance, test access.

    1. In your client's command-line window, run the commandcurl -4 http://<custom_domain_name>:80. The following output indicates that IPv4 clients cannot access port 80 over HTTP, confirming that the security group rule for port 80 is working.

      C:\Users\Administrator>curl -4 http://&lt;custom_domain_name&gt;:80
      curl: (28) Failed to connect to &lt;custom_domain_name&gt; port 80 after 42020 ms: Could not connect to server
    2. (Optional) Run the commandcurl -6 http://<custom_domain_name>:80. The following output indicates that IPv6 clients cannot access port 80 over HTTP, confirming that the security group rule for port 80 is working.

      C:\Users\Administrator>curl -6 http://&lt;custom_domain_name&gt;:80
      curl: (28) Failed to connect to &lt;custom_domain_name&gt; port 80 after 42077 ms: Could not connect to server
    3. Run the commandcurl -4 http://<custom_domain_name>:81. The following output indicates that IPv4 clients cannot access port 81 over HTTP, confirming that the security group rule for port 81 is working.

      C:\Users\Administrator>curl -4 http://&lt;custom_domain_name&gt;:81
      curl: (28) Failed to connect to &lt;custom_domain_name&gt; port 81 after 42095 ms: Could not connect to server
    4. (Optional) Run the commandcurl -6 http://<custom_domain_name>:81. The following output indicates that IPv6 clients cannot access port 81 over HTTP, confirming that the security group rule for port 81 is working.

      C:\Users\Administrator>curl -6 http://&lt;custom_domain_name&gt;:81
      curl: (28) Failed to connect to &lt;custom_domain_name&gt; port 81 after 42095 ms: Could not connect to server

References

Console

API