Use security groups as blacklists or whitelists for ALB
A security group is a virtual firewall that controls inbound and outbound traffic of Application Load Balancer (ALB) based on inbound and outbound rules. To allow or reject access from specific IP addresses to an ALB instance, you can add the ALB instance to a security group. A security group can function as a blacklist or whitelist for an ALB instance. You can create security group rules to implement finer-grained access control.
Scenarios
By default—whether or not the ALB instance is associated with a security group—its listener ports accept all inbound requests. Adding a security group with only Allow rules does not change this behavior. To restrict access to specific IP addresses, add at least one Deny rule to the security group.
ALB security groups apply to inbound traffic only. Outbound traffic (responses to client requests) is never restricted, so no outbound rules are required.
Managed security group
When you create an ALB instance, the system automatically creates a managed security group in the same virtual private cloud (VPC). This security group is read-only—you can view its rules but cannot modify them.
The managed security group contains the following rules:
Priority | Action | Protocol | Source | Port range | Description |
1 | Allow | All | NLB local IP addresses | All | Enables communication between the ALB instance and its backend servers, and allows health check traffic |
100 | Allow | All | 0.0.0.0/0 | All | Allows all inbound traffic by default |
(invisible) | Deny | All | 0.0.0.0/0 | All | Default deny-all rule built into basic and advanced security groups; the priority-100 Allow rule takes precedence |
Do not add Deny rules with priority 1 that target the ALB local IP addresses. Such rules conflict with the managed security group and can disrupt communication between the ALB instance and its backend servers. To check the local IP addresses of your ALB instance, log on to the ALB console.
This topic describes how to use a security group as a blacklist and a whitelist in two scenarios. For more information about security group rule priorities, see Sorting policy of security group rules.
Blacklist: Configure the ALB security group to deny access from specific IP addresses
A company deployed businesses on ALB in a region of Alibaba Cloud. Security inspection detects malicious requests and attacks from an IP address, such as 121.XX.XX.12. Such behaviors can cause business risks and security risks such as data leaks.
To resolve this issue, the company can configure a security group rule for the ALB instance to deny access from specific IP addresses, such as 121.XX.XX.12. The security group rule can block malicious requests and attacks from specific IP addresses to improve business security and stability.
Whitelist: Configure the ALB security group to allow access from specific IP addresses
A company deployed businesses that contain sensitive data on ALB in a region of Alibaba Cloud. To restrict access to the ALB instance, the company can configure a security group rule to allow access only from specific IP addresses, such as 121.XX.XX.12. Requests from other IP addresses are rejected.
Limitations
Upgraded ALB instances support both security groups and access control lists (ACLs) to control incoming traffic, while non-upgraded ALB instances support only ACLs. To use security groups, either create new ALB instances or contact your account manager to upgrade existing ALB instances.
Custom security groups for an ALB instance are subject to the following limitations:
They must work on the VPC for the ALB instance.
The number of custom security groups that can be associated with the ALB instance equals the security group quota for one elastic network interface (ENI) of an Elastic Compute Service (ECS) instance minus 1, which is taken by the managed security group.
The number of rules that can be associated with the ALB instance equals the rule quota for one ECS instance ENI minus the number of rules in the managed security group.
One ALB instance can be added to only one type of custom security group, either basic or advanced. To change the security group type for your ALB instance, first remove it from all associated ones, then add it to security groups of the other type.
Prerequisites
A virtual private cloud (VPC) named VPC1 is created in the China (Hangzhou) region. A vSwitch named VSW1 is created in Zone H and another vSwitch named VSW2 is created in Zone I. For more information, see Create VPC and vSwitch.
Two Elastic Compute Service (ECS) instances are created in VSW1, and applications are deployed on ECS01 and ECS02.
For more information about how to create an ECS instance, see Create an instance by using the wizard.
The following commands show how to deploy applications on ECS01 and ECS02:
A domain name is registered, and an Internet content provider (ICP) number is obtained for the domain name. For more information, see Register a domain name on Alibaba Cloud and Overview.
The following table describes the IP addresses of the clients and servers. The IP addresses are for reference only.
Category | IP | Description |
ECS01 (server) |
| The backend servers of the ALB instance. |
ECS02 (server) |
| |
Client03 | Public: 121.XX.XX.12 | The client that accesses the ALB instance. |
Client04 | Public: 121.XX.XX.45 |
Procedure
Step 1: Create a server group
Log on to the ALB console.
In the top navigation bar, select the region in which you want to create a server group. In this example, China (Hangzhou) is selected.
In the left-side navigation pane, choose .
On the Server Groups page, click Create Server Group.
In the Create Server Group dialog box, configure the parameters and click Create.
The following table describes the parameters that are relevant to this topic. You can use the default values for the other parameters. For more information, see Create and manage server groups.
Parameter
Description
Server Group Type
Specify a type of server group. In this example, Server is selected.
Server Group Name
Enter a name for the server group.
VPC
Select the VPC in which you want to create the server group. In this example, VPC1 is selected.
Backend Server Protocol
Select a backend protocol. HTTP is selected in this example.
Scheduling Algorithm
The scheduling algorithm. In this example, Weighted Round-robin is selected.
In the The server group is created dialog box, click Add Backend Server.
On the Backend Servers tab, click Add Backend Server.
In the Add Backend Server panel, select ECS01 and ECS02 and click Next.
Specify ports and weights for the backend servers and click OK.
Step 2: Create an ALB instance and add a listener
Log on to the ALB console.
On the Instances page, click Create ALB.
On the buy page, configure the following parameters.
The following table describes only some of the parameters. Other parameters use the default values. For more information, see Create and manage ALB instances.
Region: the region in which you want to create the ALB instance. In this example, China (Hangzhou) is selected.
Network Type: the network type of the ALB instance. In this example, Public is selected.
VPC: the VPC in which you want to create the ALB instance. In this example, VPC1 is selected.
Click Buy Now and complete the payment.
Return to the Instances page and click the ID of the ALB instance.
Click the Listener tab and then click Quick Create Listener.
In the Quick Create Listener dialog box, configure the parameters and click OK. In this example, an HTTP listener that listens on port 80 is created. The following table describes the parameters.
Parameter
Description
Listener Protocol
Select a listener protocol. In this example, HTTP is selected.
Listener Port
Enter a listener port. In this example, 80 is specified.
Server Group
Select a server group type in the left-side drop-down list and select a server group from the right-side drop-down list. In this example, the server group created in Step 1 is selected.
Step 3: Configure a CNAME record
For production, we recommend mapping a custom domain name to the ALB instance's domain name by creating a CNAME record.
-
In the left-side navigation pane, choose .
-
On the Instances page, copy the DNS name of the created ALB instance.
-
Follow these steps to add a CNAME record.
NoteIf your domain name is registered by a provider other than Alibaba Cloud, you must add the domain name to the Alibaba Cloud DNS console before you can configure DNS resolution. For more information, see Manage domain names. If your domain name is registered with Alibaba Cloud, proceed with the following steps.
-
Log on to the Alibaba Cloud DNS console.
-
On the Authoritative DNS Resolution page, find the target domain name, and click Settings in the Operations column.
-
On the Settings page, click Add Record.
-
In the Add Record panel, configure the CNAME record by setting the following parameters, and then click OK.
Parameter
Description
Record Type
Select CNAME from the drop-down list.
Hostname
The prefix of your domain name. This tutorial uses @.
NoteTo use a root domain, set the hostname to
@.Query Source
Select Default.
Record Value
Enter the DNS name of the ALB instance that you copied.
TTL
Time to live (TTL) is the duration that a DNS record is cached on a DNS server. Use the default value.
-
Step 4: Create security groups
Create a security group in the ECS console. In this example, two security groups are created.
Use Security Group 1 as a blacklist
Add a Deny rule that denies access from specified IP addresses. In this example, a security group that denies access from the public IP address 121.XX.XX.12 is created. You can retain the default security group rules.
Action
Priority
Protocol Type
Port Range
Authorization Object
Deny
1
All
Destination: -1/-1
Source: 121.XX.XX.12
Use Security Group 2 as a whitelist
Add an Allow rule that allows access from specific IP addresses and a Deny rule that denies access from specific IP addresses. In this example, an Allow rule that allows access from the public IP address 121.XX.XX.12 and a Deny rule are created.
Action
Priority
Protocol Type
Port Range
Authorization Object
Allow
1
All
Destination: -1/-1
Source: 121.XX.XX.12
Deny
100
All
Destination: -1/-1
Source: 0.0.0.0/0
Log on to the ECS console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region in which you want to create a security group. In this example, China (Hangzhou) is selected.
On the Security Groups page, click Create Security Group.
On the Create Security Group page, set the parameters in the Basic Information section.
Specify the following parameters. For more information about other parameters, see Security groups.
Network: In this example, VPC is selected.
Security Group Type: In this example, Basic Security Group is selected.
On the Create Security Group page, set the parameters in the Rules section.
Click Add Rule to add rules based on the configurations of the rules in Security Group 1 and Security Group 2.
Click OK.
Step 5: Test access control before the ALB instance is added to a security group
Use Client03 and Client04 to test the availability of ECS01 and ECS02.
Log on to Client03 and run the
curl http://Custom domain namecommand. TheHello World! This is ECS01.packet is returned, as shown in the following figure. This packet indicates that Client03 can access the ALB instance.
Log on to Client04 and run the
curl http://Custom domain namecommand. TheHello World! This is ECS02.packet is returned, as shown in the following figure, which indicates that Client04 can access the ALB instance.
Step 6: Add the ALB instance to the security groups and verify the result
Use Security Group 1 as a blacklist
Add the ALB instance to Security Group 1 created in Step 4: Create a security group to test whether the rules in Security Group 1 take effect on the ALB instance.
Log on to the ALB console.
In the top navigation bar, select the region of the ALB instance. In this example, China (Hangzhou) is selected.
On the Instances page, click the ID of the ALB instance that you want to manage. On the instance details page, click the Security Groups tab.
On the Security Groups tab, click Create Security Group. In the Add ALB to Security Group dialog box, select Security Group 1 created in Step 4: Create security groups and click OK.
In the left-side panel, click the ID of the security group that you want to manage. You can click the Inbound or Outbound tab to view the security group rules.
The following table describes only the inbound security group rule that is relevant to this topic.
Action
Priority
Protocol Type
Port Range
Authorization Object
Deny
1
All
Destination: -1/-1
Source: 121.XX.XX.12
Add the ALB instance to the security group and test the result.
Log on to Client03 and run the
curl http://Custom domain namecommand. A response is received, as shown in the following figure, which indicates that access from Client03 is denied by the ALB instance.
Log on to Client04 and run the
curl http://Custom domain namecommand. TheHello World! This is ECS01.packet is returned, as shown in the following figure. This packet indicates that Client04 can access the ALB instance.
The results show that after the ALB instance is added to Security Group 1 which functions as a blacklist, the Deny rule of Security Group 1 denies access from the specified IP address to the ALB instance. IP addresses that are not specified in the Deny rule can access the ALB instance.
Use Security Group 2 as a whitelist
Add the ALB instance to Security Group 2 created in Step 4: Create security groups and test whether the rules of Security Group 2 take effect on the ALB instance.
Log on to the ALB console.
In the top navigation bar, select the region of the ALB instance. In this example, China (Hangzhou) is selected.
On the Instances page, click the ID of the ALB instance that you want to manage. On the Instance Details tab, click the Security Groups tab.
On the Security Groups tab, click Create Security Group. In the Add ALB to Security Group dialog box, select Security Group 2 created in Step 4: Create security groups and click OK.
In the left-side panel, click the ID of the security group that you want to manage. You can click the Inbound or Outbound tab to view the security group rules.
The following table describes only parameters that are relevant to this topic.
Action
Priority
Protocol Type
Port Range
Authorization Object
Yes
1
All
Destination: -1/-1
Source: 121.XX.XX.12
Deny
100
All
Destination: -1/-1
Source: All IPv4 Addresses (0.0.0.0/0)
Add the ALB instance to the security group and test the result.
Log on to Client03 and run the
curl http://Custom domain namecommand. TheHello World! This is ECS01.packet is returned, as shown in the following figure. This packet indicates that Client03 can access the ALB instance.
Log on to Client04 and run the
curl http://Custom domain namecommand. A response is received, as shown in the following figure. This packet indicates that access from Client04 is denied by the ALB instance.
The test results show that after the ALB instance is added to Security Group 2 which functions as a whitelist, only IP addresses in the Allow rule can access the ALB instance.
References
Console documentation
For more information about how to add ALB instances to and remove ALB instances from security groups, see Add an ALB instance to a security group.
For more information about how to implement access control for ALB based on listeners and ports, see ALB security group for listener and port control.
For differences between basic and advanced security groups, see Basic and advanced security groups.
References
Console
-
To associate a security group with or disassociate a security group from an ALB instance, see Associate an ALB instance with a security group.
-
To create an allowlist or a blocklist for an ALB instance using a security group, see Configure a security group for an ALB instance to implement an allowlist or blocklist.
-
For more information about basic security groups and enterprise security groups, see Basic security groups and enterprise security groups.
API
-
LoadBalancerJoinSecurityGroup: Associates a security group with an Application Load Balancer instance.
-
LoadBalancerLeaveSecurityGroup: Disassociates a security group from an Application Load Balancer instance.


