Restrict ALB Inbound Traffic with Security Group Allow and Deny Rules - Application Load Balancer

A security group acts as a virtual firewall that controls the inbound and outbound traffic of an Application Load Balancer (ALB) instance based on its rules. If you need to deny or allow traffic from specific IP addresses to an ALB instance, use security groups to create blacklist and whitelist access policies for fine-grained traffic control.

Scenarios

When an ALB instance is not added to a security group, the ALB listener port allows all requests by default.
When an ALB instance is associated with a security group but no deny rules are configured, its listener ports still allow all requests by default. If you need to allow access only from specific IP addresses, you must add a deny rule as a catch-all to block all other traffic.
- If you need to deny or allow specific IP addresses to access an ALB instance, see Configure a security group to implement a whitelist or blacklist for an ALB instance.
- To implement access control for an ALB instance based on protocol or port, see Use a security group to control access to an ALB instance based on listener or port.

If your ALB instance requires access control and you want to control inbound traffic to the ALB instance, you can add a security group to the ALB instance and configure security group rules based on your business needs.

Important

Outbound traffic from a load balancer consists of responses to user requests. To ensure normal operation, the security group for an ALB instance does not restrict outbound traffic. You do not need to configure outbound security group rules.
After you create an ALB instance, the system automatically creates a managed security group in the instance's Virtual Private Cloud (VPC). You have only view permissions for this ALB-managed security group. The ALB managed security group includes the following two types of security group rules:
- Rule with a priority of 1: Allows traffic from local IP addresses by default. This rule enables communication with backend servers.
  Avoid adding a deny rule with a priority of 1 for the local IP addresses of the ALB instance. Such a rule can conflict with the policy of the managed security group, which could disrupt communication between the ALB instance and your backend servers. You can view the local IP addresses on the instance details page in the Application Load Balancer (ALB) console.
- Rule with a priority of 100: Allows traffic from all IP addresses by default. This means that when an ALB instance is associated with a security group that has no deny rules, its listener ports allow all requests by default.
  A basic or advanced security group contains a hidden default access control rule that denies all other traffic. In this case, the default allow rule of the managed security group takes precedence.

This topic describes how to use a security group to implement a blacklist or whitelist in two scenarios. For more information about security group rule priorities, see Security group rules.

Blacklist: Deny access from specific IP addresses

An enterprise deploys services on ALB in an Alibaba Cloud region. During a security check, the security team finds that an IP address, such as 121.XX.XX.12, frequently sends malicious requests and attempts to attack the services. This poses potential business risks and may lead to security incidents such as data breaches.

To address this issue, configure a security group rule for the ALB instance to block the specific IP address (121.XX.XX.12). This action blocks malicious requests and attacks, protecting the security and stability of your services.

Whitelist: Allow access from specific IP addresses

An enterprise deploys services that contain sensitive information on ALB in an Alibaba Cloud region. To strictly limit access to the ALB instance, you can configure security group rules to allow access only from a specific IP address, such as 121.XX.XX.12, and deny all requests from other IP addresses.

Limitations

Important

Upgraded ALB instances support security groups or ACLs for managing access traffic. Before the upgrade, ALB instances supported only ACLs for access control. If you need to use security groups, you can create a new instance or contact your account manager to request an upgrade for your existing instances.

Category

Security group type

Description

Security groups that can be associated with an ALB instance

basic security group
advanced security group

The security group and the ALB instance must be in the same Virtual Private Cloud (VPC).
The quotas for the maximum number of security groups and rules per ALB instance are the same as those for an ECS instance:
- Maximum number of security groups for an ALB instance = Quota on the number of security groups for an ECS instance or elastic network interface - 1 (The managed security group for the ALB instance consumes one quota unit.)
- Maximum number of security group rules for an ALB instance = Quota on the number of security group rules for an ECS instance or elastic network interface - Number of rules in the managed security group for the ALB instance
An ALB instance can be associated only with security groups of the same type.
If an ALB instance is associated with a basic security group, you must first disassociate the ALB instance from all basic security groups to add it to an advanced security group, and vice versa.

For more information about basic and advanced security groups, see Basic and advanced security groups.

Security groups that cannot be associated with an ALB instance

managed security group

For more information about managed security groups, see Managed security groups.

Prerequisites

Create a Virtual Private Cloud (VPC) named VPC1 in the China (Hangzhou) region. Create a vSwitch named VSW1 in availability zone H and another vSwitch named VSW2 in availability zone I. For more information, see Create a VPC and a vSwitch.
Create two ECS instances in VSW1 and deploy applications on them.
- For more information about how to create an ECS instance, see Create an instance by using the wizard.
- The following example commands show how to deploy test applications on ECS01 and ECS02:
  Commands to deploy a service on ECS01
```
yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World ! This is ECS01." > index.html
```
  Commands to deploy a service on ECS02
```
yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World ! This is ECS02." > index.html
```
Register a domain name and obtain an Internet Content Provider (ICP) filing for it. For more information, see Register a domain name on Alibaba Cloud and ICP filing.

The following table describes the IP configurations for the clients and servers in this topic. These configurations are for reference only.

Category	IP address	Description
ECS01 (server)	Private: 192.168.10.22 Public: None	Acts as a backend server for the ALB instance.
ECS02 (server)	Private: 192.168.10.35 Public: None	Acts as a backend server for the ALB instance.
Client03	Public: 121.XX.XX.12	Acts as a client to access the ALB instance.
Client04	Public: 121.XX.XX.45	Acts as a client to access the ALB instance.

Procedure

Step 1: Create a server group

Log on to the ALB console.
In the top navigation bar, select the region where the server group is located. This topic uses China (Hangzhou) as an example.
In the left-side navigation pane, choose ALB > Server Groups.
On the Server Groups page, click Create Server Group.

In the Create Server Group dialog box, configure the following parameters and click Create.

This topic describes only the parameters that are relevant to this example. You can retain the default values for other parameters. For more information, see Create and manage a server group.

Parameter	Description
Server Group Type	Select a server group type. This topic uses Server as an example.
Server Group Name	Enter a name for the server group.
VPC	Select a VPC from the drop-down list. This topic uses the created VPC1 as an example.
Backend Server Protocol	Select a backend protocol. This topic uses HTTP as an example.
Scheduling Algorithm	Select a scheduling algorithm. This topic uses Weighted Round-robin as an example.

In the The server group is created dialog box, click Add Backend Server.
On the Backend Servers tab, click Add Backend Server.
On the Add Backend Server panel, select the created ECS01 and ECS02 instances and click Next.
Set the ports and weights for the added servers and click OK.

Step 2: Create an ALB instance and listener

Log on to the ALB console.
On the Instances page, click Create ALB.
On the buy page, complete the following configurations.
This topic describes only the parameters that are relevant to this example. Retain the default values for other parameters. For more information about the parameters, see Create an ALB instance.
- Region: This topic uses China (Hangzhou) as an example.
- Network type: This topic uses Public as an example.
- VPC: This topic uses the created VPC1 as an example.
Click Buy Now and follow the on-screen instructions to activate the instance.
Return to the Instances page, find the created ALB instance, and click its ID.
Click the Listener tab and then click Quick Create Listener.

In the Quick Create Listener dialog box, configure the following parameters to create an HTTP listener on port 80, and then click OK.

Parameter	Description
Listener Protocol	Select the protocol for the listener. This topic uses HTTP as an example.
Listener Port	Enter the listener port. This topic uses `80` as an example.
Server Group	Under Server, select the destination server group. This topic uses the created server group as an example.

Step 3: Configure domain name resolution

In a production environment, use your own domain name and create a CNAME record to map it to the domain name of the ALB instance.

In the left-side navigation pane, choose ALB > Instances.
On the Instances page, copy the DNS name of the created ALB instance.

Perform the following steps to add a CNAME record.

Note

If your domain name was not registered with Alibaba Cloud, you must first add it to the Alibaba Cloud DNS console before you can configure DNS settings. For more information, see Domain Management. If your domain name was registered with Alibaba Cloud, proceed with the following steps.

Log on to the Alibaba Cloud DNS console.
On the Authoritative DNS Resolution page, find the target domain name and click Settings in the Operations column.
On the Settings page, click Add Record.

In the Add Record panel, configure the following information for the CNAME record, and then click OK.

Parameter	Description
Record Type	Select CNAME from the drop-down list.
Hostname	The prefix for your domain name. This topic uses `@` as an example. Note When creating a root domain, the host record is `@`.
Query Source	Select Default.
Record Value	Enter the CNAME address for the domain, which is the DNS name of the ALB instance that you copied.
TTL	Time To Live (TTL) is the amount of time that the DNS record is cached on a DNS server. This topic uses the default value.

Step 4: Create security groups

Go to the ECS console and create two security groups: one for a blacklist policy and one for a whitelist policy, using the rules described below.

Security group 1 for a blacklist policy
Add a deny rule. This topic uses denying access from the public IP address 121.XX.XX.12 as an example. You can retain the default security group rules.
Action
Priority
Protocol type
Port range
Authorization object
Deny
1
All
Destination: -1/-1
Source: 121.XX.XX.12
Security group 2 for a whitelist policy
Add an allow rule and a deny rule. This topic uses allowing access from the public IP address 121.XX.XX.12 as an example. You must add both an allow rule and a deny rule.
Action
Priority
Protocol type
Port range
Authorization object
Allow
1
All
Destination: -1/-1
Source: 121.XX.XX.12
Deny
100
All
Destination: -1/-1
Source: 0.0.0.0/0

Log on to the ECS console.
In the left-side navigation pane, choose Network & Security > Security Group.
In the top navigation bar, select the region where the security group is located. This topic uses China (Hangzhou) as an example.
On the Security Groups page, click Create Security Group.
On the Create Security Group page, configure the Basic information parameters.
This topic describes only some parameters. For more information about the other parameters, see Create a security group.
- Network: This topic uses the created VPC as an example.
- Security group type: This topic uses Basic Security Group as an example.
On the Create Security Group page, configure the Rules parameters.
1. Click Add Rule and create rules based on the configurations for Security group 1 for a blacklist policy and Security group 2 for a whitelist policy.
2. Click OK.

Step 5: Test baseline connectivity

Use Client03 and Client04 to test connectivity to the ALB instance.

Log on to Client03 and run the curl http://<your-domain-name> command. A response of Hello World ! This is ECS01. indicates that the client can access the ALB instance.
Log on to Client04 and run the curl http://<your-domain-name> command. A response of Hello World ! This is ECS02. indicates that the client can access the ALB instance.

Step 6: Associate the security group and verify

Blacklist

Associate the ALB instance with security group 1, which you created in Step 4: Create security groups, and verify whether the rules in security group 1 take effect.

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is located. This topic uses China (Hangzhou) as an example.
On the Instances page, find the created ALB instance and click its ID. On the instance details page, click the Security Groups tab.
On the Security Groups tab, click Create Security Group. In the Add ALB to Security Group dialog box, select security group 1 that you created in Step 4: Create security groups and click OK.
In the left-side list, click the ID of the target security group. You can then click the Inbound or Outbound tab to view the security group rules.
The following table describes the inbound security group rule relevant to this topic.
Action
Priority
Protocol type
Port range
Authorization object
Deny
1
All
Destination: -1/-1
Source: 121.XX.XX.12
After associating the ALB instance with the security group, test the access result.
1. Log on to Client03 and run the curl http://<your-domain-name> command. A timeout response confirms that the security group has denied access from this client.
2. Log on to Client04 and run the curl http://<your-domain-name> command. A response of Hello World ! This is ECS01. indicates that this client can access the ALB instance.

The results confirm that the blacklist policy is effective: the specified IP address is blocked, while other IP addresses are allowed access.

Whitelist

Associate the ALB instance with security group 2, which you created in Step 4: Create security groups, and verify whether the rules in security group 2 take effect.

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is located. This topic uses China (Hangzhou) as an example.
On the Instances page, find the created ALB instance and click its ID. On the Instance Details page, click the Security Groups tab.
On the Security Groups tab, click Create Security Group. In the Add ALB to Security Group dialog box, select security group 2 that you created in Step 4: Create security groups and click OK.
In the left-side list, click the ID of the target security group. You can then click the Inbound or Outbound tab to view the security group rules.
The following table describes the security group rules relevant to this topic.
Action
Priority
Protocol type
Port range
Authorization object
Allow
1
All
Destination: -1/-1
Source: 121.XX.XX.12
Deny
100
All
Destination: -1/-1
Source: All IPv4 Addresses (0.0.0.0/0)
After associating the ALB instance with the security group, test the access result.
1. Log on to Client03 and run the curl http://<your-domain-name> command. A response of Hello World ! This is ECS01. indicates that this client can access the ALB instance.
2. Log on to Client04 and run the curl http://<your-domain-name> command. A timeout response indicates that access from this client to the ALB instance is denied.

The results confirm that the whitelist policy is effective: only the IP address specified in the allow rule can access the ALB instance.

References

Console

For more information about operations such as associating an ALB instance with a security group or disassociating it, see Associate an ALB instance with a security group.
To learn how to configure a security group to control access to an ALB instance based on listener or port, see Use a security group to control access to an ALB instance based on listener or port.
For more information about basic and advanced security groups, see Basic and advanced security groups.

API references

LoadBalancerJoinSecurityGroup: Attaches a security group that you created to an ALB instance.
LoadBalancerLeaveSecurityGroup: Detaches a security group from an ALB instance.

Action	Priority	Protocol type	Port range	Authorization object
Deny	1	All	Destination: -1/-1	Source: 121.XX.XX.12