To regulate access from requests, you can configure a security group to implement access control based on protocols, ports, and IP addresses. Instead of access control lists (ACLs) that are used by Classic Load Balancer (CLB), Network Load Balancer (NLB) uses finer-grained access control based on protocols and ports. This topic describes how to configure a security group for an NLB instance to implement access control based on listeners and ports.
Sample scenarios
Before an NLB instance is added to a security group, the listener ports of the NLB instance accept all requests by default.
After an NLB instance is added to a security group which does not contain Deny rules, the listener ports of the NLB instance accept all requests by default. If you want to allow requests only from specific IP addresses to your NLB instance, you must also create a Deny rule.
If your NLB instance has access control requirements and you want to control inbound traffic to the NLB instance, you can add the NLB instance to a security group and configure security group rules based on your business requirements.
The outbound traffic of an NLB instance refers to responses returned to user requests. To ensure that your service is not affected, NLB security groups do not limit outbound traffic. You do not need to configure outbound rules for security groups.
The following table describes how to configure a security group for an NLB in different scenarios. In the following examples, access control is based on protocols and ports. A TCP listener which listens on port 80 and a TCP listener which listens on port 81 are used.
No. | Security group rule | Expected result | References |
Scenario 1: The NLB instance is not added to a security group. | The listener ports of the NLB accept all requests by default. | In this example, a TCP listener which listens on port 80 and a TCP listener which listens on port 81 are created for the NLB instance.
| |
Scenario 2: The NLB instance is added to a security group. | TCP port 81 rejects requests. Note The following table describes only the security group rules that are relevant to this topic. Other default rules are not included. |
| Step 4: Add the NLB instance to the security group and verify the result |
Scenario 3: The security group to which the NLB instance is added is modified. |
Note The following table describes only the security group rules that are relevant to this topic. Other default rules are not included. |
|
Limits
Item | Security group type | Description |
Security groups supported by NLB |
|
For more information about basic security groups and advanced security groups, see Basic security groups and advanced security groups. |
Security groups not supported by NLB | Managed security group | For more information about managed security groups, see Managed security groups. |
Prerequisites
A virtual private cloud (VPC) is created. VPC1 is used in this example. For more information, see Create and manage a VPC.
Three Elastic Compute Service (ECS) instances are deployed in VPC1. ECS01 and ECS02 function as backend servers for the NLB instance. Applications are deployed on ECS01 and ECS02. ECS03 functions as the client which sends requests to the NLB instance.
For more information about how to create an ECS instance, see Create an instance by using the wizard.
For more information about how to deploy an application, see Deploy an LNMP stack on a CentOS 7 instance.
Procedure
Step 1: Create a server group
- Log on to the NLB console.
In the top navigation bar, select the region where the server group is deployed. In this example, China (Hangzhou) is selected.
In the left-side navigation pane, choose .
On the Server Groups page, click Create Server Group.
In the Create Server Group dialog box, set the parameters and click Create.
The following table describes the parameters that are relevant to this topic. You can use the default values for the other parameters. For more information, see Create a server group.
Parameter
Description
Server Group Type
Specify how backend servers are added to the server group. In this example, Server Type is selected.
Server Group Name
The name of the server group. In this example, RS01 is used.
VPC
Select a VPC from the drop-down list. In this example, VPC1 is selected.
Backend Server Protocol
Select a backend protocol. In this example, TCP is selected.
Scheduling Algorithm
Select a scheduling algorithm. In this example, Weighted Round-Robin is selected.
In the Server group created. dialog box, click Add Backend Server.
On the Backend Servers tab, click Add Backend Server.
In the Add Backend Server panel, select ECS01 and ECS02 and click Next.
Set the ports and weights of the added servers and click OK.
Step 2: Create an NLB instance and configure listeners
- Log on to the NLB console.
In the top navigation bar, select the region in which the NLB instance is deployed. In this example, China (Hangzhou) is selected.
On the Instances page, click Create NLB.
On the NLB (Pay-As-You-Go) page, configure the following parameters.
The following section describes the parameters that are relevant to this topic. For more information about other parameters, see Create an NLB instance.
Region: In this example, China (Hangzhou) is selected.
Network Type: In this example, Intranet is selected.
VPC: In this example, VPC1 is selected.
Click Buy Now and complete the payment as prompted.
Return to the Instances page, find the NLB instance that you want to manage, and then click the ID of the NLB instance.
Click the Listener tab. On the Listener tab, click Quick Create Listener. In the Quick Create Listener dialog box, set the following parameters and to create a TCP listener which listens on port 80, and click OK.
Parameter
Description
Listener Protocol
Select a listener protocol. In this example, TCP is selected.
Listener Port
Enter a listener port. In this example, port 80 is specified.
Server Group
Select Server Type and select a server group from the drop-down list next to Server Type.
In this example, the server group RS01 created in Step 1 is selected.
On the Listener tab, click Quick Create Listener. In the Quick Create Listener dialog box, set the following parameters to create a TCP listener which listens on port 81, and click OK.
Parameter
Description
Listener Protocol
Select a listener protocol. In this example, TCP is selected.
Listener Port
Enter a listener port. In this example, port 81 is specified.
Server Group
Set the Server Type parameter and select a server group based on the specified server type.
In this example, the server group RS01 created in Step 1 is selected.
Check the accessibility of the NLB instance when the NLB instance is not added to a security group.
Log on to ECS03. For more information, see Connect to an ECS instance.
Run the following command to test whether ECS03 in VPC1 can access port 80 of the NLB instance:
telnet nlb-vu3bmpv88w22fr****.cn-hangzhou.nlb.aliyuncs.com 80.If you receive echo reply packets as shown in the following figure, ECS04 can access the NLB instance.
Run the following command to test whether ECS03 in VPC1 can access port 81 of the NLB instance:
telnet nlb-vu3bmpv88w22fr****.cn-hangzhou.nlb.aliyuncs.com 81.If you receive echo reply packets as shown in the following figure, ECS04 can access the NLB instance.
The results show that before the NLB instance is added to a security group, ECS03 can access port 80 and port 81 of the NLB instance.
Step 3: Create a security group
To add the NLB instance to a security group, you need to first create a security group in the ECS console.
Log on to the ECS console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region where you want to create a security group. In this example, China (Hangzhou) is selected.
On the Security Groups page, click Create Security Group.
On the Create Security Group page, set the parameters in the Basic Information section.
The following section describes only the parameters that are relevant to this topic. For more information about other parameters, see Create a security group.
Network: In this example, VPC1 is selected.
Security Group Type: In this example, Basic Security Group is selected.
On the Create Security Group page, set the parameters in the Access Rule section.
On the Inbound tab, click Add Rule.
Create a security group rule.
Parameter
Description
Action
Select Deny.
Priority
The default value 1 is used.
Protocol
Select Custom TCP.
Port Range
Enter the port number 81.
Authorization Object
Select
0.0.0.0/0.Description
Enter a description for the security group rule.
Click Create Security Group.
Step 4: Add the NLB instance to the security group and check the result
Add the NLB instance to the security group created in Step 3 and check whether the security group rules take effect on the NLB instance.
- Log on to the NLB console.
In the top navigation bar, select the region in which the NLB instance is deployed. In this example, China (Hangzhou) is selected.
In the left-side navigation pane, choose NLB > Instances. Find the NLB instance created in Step 2 and click the ID. On the instance details page, click the Security Groups tab.
On the Security Groups tab, click Create Security Group. In the Add NLB Instance to Security Group dialog box, select the security group created in Step 3 and click OK.
In the left-side navigation pane, click the ID of the security group that you want to manage. You can click the Inbound Policies or Outbound Policies tab to view the security group rules.
The following table describes only the inbound rules that are relevant to this topic. The following table describes the configurations of the security group rule created for the NLB instance.
Policy
Priority
Protocol Type
Port Range
Authorization Object
Allow
1
Custom TCP
Destination: 80/80Source: 0.0.0.0/0Deny
1
Custom TCP
Destination: 81/81Source: 0.0.0.0/0Add the NLB instance to the security group and check the result.
Log on to ECS03. For more information, see Connect to an ECS instance.
Run the following command to test whether ECS03 in VPC1 can access port 80 of the NLB instance:
telnet nlb-vu3bmpv88w22fr****.cn-hangzhou.nlb.aliyuncs.com 80.If you receive echo reply packets as shown in the following figure, ECS03 can access port 80 of the NLB instance.
Run the following command to test whether ECS03 in VPC1 can access port 81 of the NLB instance:
telnet nlb-vu3bmpv88w22fr****.cn-hangzhou.nlb.aliyuncs.com 81.If you receive echo reply packets as shown in the following figure, ECS03 failed to access port 81 of the NLB instance. The security group rules take effect after the NLB instance is added to the security group.
Step 5: Modify the security group rules and check the result
Modify the security group rules and check whether access to the NLB instance is allowed or denied.
Return to the NLB > Instances page, find the NLB instance created in Step 2, and then click the ID. On the instance details page, click the Security Groups tab.
Click the ID of the security group in the Basic Information section, or click ECS Console in the upper-right corner of the Security Groups tab. Then, you can modify the security group rules on the Security Group Rules tab.
On the Security Group Rules tab, find the security group rule which allows access to port 80. Click Modify in the Actions column and set Action to Deny.
The following table describes only the security group rules that are relevant to this topic. The following table also describes the new security group rules.
Policy
Priority
Protocol Type
Port Range
Authorization Object
Deny
1
Custom TCP
Destination: 80/80Source: 0.0.0.0/0Deny
1
Custom TCP
Destination: 81/81Source: 0.0.0.0/0Test whether access to the NLB instance is denied after the security group rule is modified.
Log on to ECS03. For more information, see Connect to an ECS instance.
Run the following command to test whether ECS03 in VPC1 can access port 80 of the NLB instance:
telnet nlb-vu3bmpv88w22fr****.cn-hangzhou.nlb.aliyuncs.com 80.If you receive echo reply packets as shown in the following figure, ECS03 failed to access port 80 of the NLB instance. The modified security group rules take effect after the NLB instance is added to the security group.
Run the following command to test whether ECS03 in VPC1 can access port 81 of the NLB instance:
telnet nlb-vu3bmpv88w22fr****.cn-hangzhou.nlb.aliyuncs.com 81.If you receive echo reply packets as shown in the following figure, ECS03 failed to access port 81 of the NLB instance. The modified security group rules take effect after the NLB instance is added to the security group.
References
For more information about how to add an NLB instance to and remove an NLB instance from a security group, see Add an NLB instance to a security group.
For more information about how to allow or deny access for specific IP addresses, see Use security groups as blacklists or whitelists.
For more information about security groups, see Security groups.
LoadBalancerJoinSecurityGroup: adds an NLB instance to a security group.
LoadBalancerLeaveSecurityGroup: removes an NLB instance from a security group.