Security groups are virtual firewalls that protect the security of your instances. With stateful inspection and packet filtering capabilities, security groups control the traffic allowed to and from instances associated with them.
Upgraded ALB instances support both security groups and access control lists (ACLs) to control incoming traffic, while non-upgraded ALB instances support only ACLs. To use security groups, either create new ALB instances or contact your account manager to upgrade existing ALB instances.
Security group overview
Security groups are classified into managed security groups and custom security groups. Managed security groups are created and managed by cloud services, and you can only view but cannot modify, delete, or add instances to them. Custom security groups are those you create, and based on capacity and security policies, they are divided into basic and advanced security groups.
When you create an ALB instance, a managed security group is automatically created in the virtual private cloud (VPC) for your ALB instance. This ALB-managed security group includes the following rules:
Rules with a priority of 1 that allow inbound traffic to the local IP addresses of your ALB instance. The local IP address is used for health checks on backend servers.
Rules with a priority of 100 that allow all inbound traffic.
Rules with a priority of 1 that allow all outbound traffic.
With only the managed security group, all inbound and outbound traffic is allowed for your ALB instance. To achieve access control for it, you can add it to custom security groups.
How rules work
When your ALB instance is added to custom security groups:
If you configure only Allow rules, all inbound and outbound traffic is still allowed.
If you configure Allow rules at higher priorities and a Deny rule that denies all IP addresses at the lowest priority, only traffic to and from the IP addresses you specify is allowed.
If you configure only Deny rules, traffic to and from the IP addresses you specify is denied.
By customizing security group rules, you can allow or deny access from specific IP addresses or based on protocols and ports.
Limitations
Custom security groups for an ALB instance are subject to the following limitations:
They must work on the VPC for the ALB instance.
The number of custom security groups that can be associated with the ALB instance equals the security group quota for one elastic network interface (ENI) of an Elastic Compute Service (ECS) instance minus 1, which is taken by the managed security group.
The number of rules that can be associated with the ALB instance equals the rule quota for one ECS instance ENI minus the number of rules in the managed security group.
One ALB instance can be added to only one type of custom security group, either basic or advanced. To change the security group type for your ALB instance, first remove it from all associated ones, then add it to security groups of the other type.
Considerations
Outbound traffic includes requests ALB forwards to backend servers and responses ALB sends back to clients. We recommend that you don't configure any outbound rules in the security groups for your ALB instance to avoid any service interruptions.
We recommend that you don't configure any Deny rules with a priority of 1 that deny traffic to and from the local IP addresses of your ALB instance. Such rules block the health check communication between your ALB instance and the backend servers.
Comparison between security groups and ACLs
Both security groups and ACLs act as IP address blacklists or whitelists for ALB instances, with the following differences:
Security groups:
Control traffic on either a per-instance or per-listener (if you choose specific ports to allow) basis.
Allow certain IP addresses, while denying other ones.
Support control over both IPv4 and IPv6 traffic.
ACLs:
Control traffic on a per-listener basis.
Set a list of IP addresses to either whitelist or blacklist.
Support control over only IPv4 traffic.
Add your ALB instance to a security group
Prerequisites
An ALB instance is created.
A security group is created and security group rules are configured.
NoteThe security group feature for ALB is provided by ECS. To create, modify, or delete security groups or configure security group rules, go to the ECS console. In the ALB console, you can only add or remove ALB instances from existing security groups and check security group settings for your ALB instance.
Console
Go to ALB console - Instances.
In the top navigation bar, select the region.
Click the ID of the ALB instance.
On the instance details page, click the Security Groups tab.
Click Create Security Group.
In the Add ALB to Security Group dialog box, select at least one security group to associate. Set Resource Group to filter for the security groups you want. In the Security Groups drop-down list, click Create Security Group to create a new security group in the ECS console. After security groups are selected, click OK.
On the Security Groups tab, check the settings of the security groups associated with the ALB instance. Click Create Security Group in the upper-left corner to add your ALB instance to more security groups.
To update rules in a security group, click ECS console in the upper-right corner or click the security group ID in the Basic Information section, then edit rules on the security group details page.
API
Call the LoadBalancerJoinSecurityGroup operation.
Remove your ALB instance from a security group
Console
Go to ALB console - Instances.
In the top navigation bar, select the region.
Click the ID of the ALB instance.
On the instance details page, click the Security Groups tab.
Click the name or ID of the security group that you want to manage, then click Remove in the upper-right corner.
In the Remove dialog box, click OK.
API
Call the LoadBalancerLeaveSecurityGroup operation.