All Products
Search
Document Center

Server Load Balancer:Use security groups as blacklists or whitelists

Last Updated:Jun 25, 2026

If you want to deny or allow requests from specific IP addresses to a Network Load Balancer (NLB) instance, you can configure a security group for the NLB instance to implement access control. NLB security groups can be used as whitelists or blacklists, which implement fine-grained access control.

Sample scenarios

By default—whether or not the NLB instance is associated with a security group—its listener ports accept all inbound requests. Adding a security group with only Allow rules does not change this behavior. To restrict access to specific IP addresses, add at least one Deny rule to the security group.

NLB security groups apply to inbound traffic only. Outbound traffic (responses to client requests) is never restricted, so no outbound rules are required.

Managed security group

When you create an NLB instance, the system automatically creates a managed security group in the same virtual private cloud (VPC). This security group is read-only—you can view its rules but cannot modify them.

The managed security group contains the following rules:

Priority

Action

Protocol

Source

Port range

Description

1

Allow

All

NLB local IP addresses

All

Enables communication between the NLB instance and its backend servers, and allows health check traffic

100

Allow

All

0.0.0.0/0

All

Allows all inbound traffic by default

(invisible)

Deny

All

0.0.0.0/0

All

Default deny-all rule built into basic and advanced security groups; the priority-100 Allow rule takes precedence

Important

Do not add Deny rules with priority 1 that target the NLB local IP addresses. Such rules conflict with the managed security group and can disrupt communication between the NLB instance and its backend servers. To check the local IP addresses of your NLB instance, log on to the NLB console.

The following scenarios are used to demonstrate how whitelists and blacklists work. For more information, see Security group rules.

A blacklist denies access from specific IP addresses.

image.png

A whitelist allows access only from specific IP addresses.

image.png

Limitations

Item

Details

Supported security group types

Basic security group, advanced security group

Unsupported security group type

Managed security group

Same VPC required

The security group and the NLB instance must belong to the same VPC

Maximum number of security groups

Up to 4 security groups per NLB instance

Mixed types not allowed

All security groups associated with an NLB instance must be of the same type. To switch from basic to advanced, remove the NLB instance from the basic security group first. To switch from advanced to basic, remove the NLB instance from the advanced security group first

Quota calculation

Available security group slots = ENI security group quota for ECS − 1 (reserved for the managed security group)

Security group rule quota

Available rule slots = ENI security group rule quota for ECS − number of rules in the managed security group

Legacy instances

NLB instances created before September 30, 2022 (during the public preview) cannot be added to security groups. Replace these instances or purchase new ones to use this feature

For details on basic and advanced security group differences, see Basic and advanced security groups.

Prerequisites

Four Elastic Compute Service (ECS) instances are created. For more information about how to create an ECS instance, see Purchase an ECS instance.

  • ECS01 and ECS02 function as backend servers of the NLB instance. Applications are deployed on ECS01 and ECS02.

    The following sample commands are used to deploy test applications on ECS01 and ECS02:

    Commands for deploying an application on ECS01

    yum install -y nginx
    systemctl start nginx.service
    cd /usr/share/nginx/html/
    echo "Hello World ! This is ECS01." > index.html
    

    Commands for deploying an application on ECS02

    yum install -y nginx
    systemctl start nginx.service
    cd /usr/share/nginx/html/
    echo "Hello World ! This is ECS02." > index.html
    
  • ECS03 and ECS04 are Internet-facing instances used to access the NLB instance. You can also use an existing Linux server to access the NLB instance. In this case, you do not need to create ECS03 and ECS04.

  • A domain name is registered, an Internet content provider (ICP) number is obtained for the domain name, and a CNAME record is created to map the custom domain name to the domain name of your NLB instance. For more information, see Register a domain name, ICP filing process, and Step 4: Create a DNS record.

    The following table describes the configurations of the ECS instances used in this topic.

    Instance

    ECS configuration

    VPC

    IP address

    Procedure

    ECS01

    • Instance type: ecs.u1-c1m1.large

    • CPUs and memory: 2 vCPUs and 2 GiB of memory

    • Operating system: Alibaba Cloud Linux 3.2104 LTS 64-bit

    • Network type: VPC

    VPC01

    • Private: 192.168.0.24

    • Public: not assigned

    The instances are specified as the backend servers of the NLB instance.

    ECS02

    • Private: 192.168.0.37

    • Public: not assigned

    ECS03

    VPC02

    • Private: 192.168.0.25

    • Public: 47.XX.XX.55

    The instances are used as clients to access the NLB instance.

    ECS04

    • Private: 192.168.0.26

    • Public: 101.XX.XX.251

Step 1: Create a server group

  1. Log on to the NLB console.

  2. In the top navigation bar, select the region where you want to create a server group. In this example, China (Hangzhou) is selected.

  3. In the left-side navigation pane, choose NLB > Server Groups.

  1. On the Server Group page, click Create Server Group.

  2. In the Create Server Group dialog box, set the following parameters and click Create.

    The following table describes the key parameters for creating a server group. Use the default values for other parameters. For more information, see Create a server group.

    Parameter

    Description

    Server Group Type

    Specify a type of server group. In this example, Server is selected.

    Server Group Name

    Enter a name for the server group. In this example, RS01 is used.

    VPC

    Select a VPC from the drop-down list. In this example, VPC1 is selected. The server group must reside in the same VPC as ECS01 and ECS02.

    Backend Server Protocol

    Select a backend protocol. In this example, TCP is selected.

  1. In the The server group is created dialog box, click Add Backend Server.

  2. On the Backend Servers tab, click Add Backend Server.

  3. In the Add Backend Server panel, select ECS01 and ECS02 and click Next.

  4. Specify ports and weights for the backend servers and click OK. In this example, port 80 is specified and the default weight is used.

Step 2: Create an NLB instance and configure listeners

  1. In the left-side navigation pane, choose NLB > Instances. On the Instances page, click Create NLB.

  2. On the Network Load Balancer (Pay-As-You-Go) page, set the following parameters.

    The following table describes only some of the parameters. For more information about other parameters, see Create an instance.

    • Region: In this example, China (Hangzhou) is selected.

    • Network Type: In this example, Public is selected.

    • VPC: In this example, VPC01 is selected.

  3. Click Buy Now and complete the payment.

  4. Return to the Instances page, find the NLB instance that you created, and click the ID of the NLB instance.

  5. Click the Listener tab. On the Listener tab, click Quick Create Listener. In the Quick Create Listener dialog box, set the following parameters to create a TCP listener that uses port 80 and click OK.

    Parameter

    Procedure

    Listener Protocol

    Select a listener protocol. In this example, TCP is selected.

    Listener Port

    In this example, port 80 is used.

    Server Group

    Select Server and select a server group from the drop-down list next to Server.

    In this example, the server group created in Step 1: Create a server group is selected.

  6. Check the accessibility of the NLB instance when the NLB instance is not added to a security group. The command curl -s http://whatismyip.akamai.com/ can be used to query the public IP address of the client which sends the request.

    1. Log on to ECS03. Run the following command to test whether ECS03 can access the NLB instance: telnet Domain name 80.

      If you receive echo reply packets as shown in the following figure, ECS03 can access the NLB instance.image.png

    2. Log on to ECS04. Run the following command to test whether ECS04 can access the NLB instance: telnet Domain name 80.

      If you receive echo reply packets as shown in the following figure, ECS04 can access the NLB instance.image.png

    The results show that before the NLB instance is added to a security group, ECS03 and ECS04 can access the NLB instance.

Step 3: Create a security group

Before you add your NLB instance to a security group, you must create a security group in the ECS console. This section describes how to create two security groups.

  • Security Group 1 as a blacklist

    Add a Deny rule that denies access from specified IP addresses. In this example, a Deny rule that denies access from the public IP address 47.XX.XX.55 of ECS03 is created. You can keep the default security group rule. The following table describes the configurations of the rule.

    Policy

    Priority

    Protocol

    Port range

    Authorization object

    Deny

    1

    All

    Destination: -1/-1

    Source: 47.XX.XX.55

  • Security Group 2 as a whitelist

    Add an Allow rule that allows access from specific IP addresses and a Deny rule that denies access from specific IP addresses. In this example, an Allow rule that allows access from the public IP address 47.XX.XX.55 of ECS03, and a Deny rule are created. The following table describes the configurations of the rules.

    Policy

    Priority

    Protocol

    Port range

    Authorization object

    Yes

    1

    All

    Destination: -1/-1

    Source: 47.XX.XX.55

    Deny

    100

    All

    Destination: -1/-1

    Source: 0.0.0.0/0

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Network & Security > Security Groups.

  3. In the top navigation bar, select the region where you want to create a security group. In this example, China (Hangzhou) is selected.

  4. On the Security Groups page, click Create Security Group.

  5. On the Create Security Group page, set the parameters in the Basic Information section.

    Specify the following parameters. For more information about other parameters, see Create a security group.

    • Network: In this example, VPC 1 is selected. The security group must reside in the same VPC as the NLB instance.

    • Security Group Type: In this example, Basic Security Group is selected.

  6. On the Create Security Group page, set the parameters in the Rules section.

    1. On the Inbound tab, click Add Rule to add rules based on the configurations of the rules in Security Group 1 and Security Group 2.

    2. Click Create Security Group.

Step 4: Add the NLB instance to the security group and verify the result

Use Security Group 1 as a blacklist

Add the NLB instance to Security Group 1 created in Step 3, and test whether the rule in Security Group 1 takes effect on the NLB instance.

  1. Log on to the NLB console.

  2. In the top navigation bar, select the region where the NLB instance is deployed. In this example, China (Hangzhou) is selected.

  3. In the left-side navigation pane, choose NLB > Instances. On the page that appears, find the NLB instance created in Step 2: Create an NLB instance and configure listeners and click the instance ID. On the instance details page, click the Security Groups tab.

  4. On the Security Groups tab, click Create Security Group. In the Add NLB Instance to Security Group dialog box, select the security group created in Step 3 and click OK.

  5. In the left-side panel, click the ID of the security group that you want to manage. You can click the Inbound Policies or Outbound Policies tab to view the security group rules.

    The following table describes the parameters that are relevant to this topic.

    Policy

    Priority

    Protocol

    Port range

    Authorization object

    Deny

    1

    All

    Destination: -1/-1

    Source: 47.XX.XX.55

  6. Test whether access to the NLB instance in the security group is denied. The command curl -s http://whatismyip.akamai.com can be used to query the public IP address of the client which sends requests.

    1. Log on to ECS03. Run the following command to test whether ECS03 can access the NLB instance: telnet Domain name 80.

      If you receive echo reply packets as shown in the following figure, ECS04 failed to access the NLB instance.image.png

    2. Log on to ECS04. Run the following command to test whether ECS04 can access the NLB instance: telnet Domain name 80.

      If you receive echo reply packets as shown in the following figure, ECS04 can access the NLB instance.image.png

    The results show that after the NLB instance is added to Security Group 1, IP addresses specified in the Deny rule can no longer access the NLB instance. IP address not specified in the Deny rule can access the NLB instance.

Use Security Group 2 as a whitelist

Add the NLB instance to Security Group 2 created in Step 3, and test whether the rules in Security Group 2 take effect on the NLB instance.

  1. Log on to the NLB console.

  2. In the top navigation bar, select the region where the NLB instance is deployed. In this example, China (Hangzhou) is selected.

  3. In the left-side navigation pane, choose NLB > Instances. On the page that appears, find the NLB instance created in Step 2: Create an NLB instance and configure listeners and click the instance ID. On the instance details page, click the Security Groups tab.

  4. On the Security Groups tab, click Create Security Group. In the Add NLB Instance to Security Group dialog box, select Security Group 2 created in Step 3 and click OK.

  5. In the left-side panel, click the ID of the security group that you want to manage. You can click the Inbound Policies or Outbound Policies tab to view the security group rules.

    Policy

    Priority

    Protocol

    Port range

    Authorization object

    Yes

    1

    All

    Destination: -1/-1

    Source: 47.XX.XX.55

    Deny

    100

    All

    Destination: -1/-1

    Source: 0.0.0.0/0

  6. Test whether access to the NLB instance in the security group is denied. The command curl -s http://whatismyip.akamai.com can be used to query the public IP address of the client which sends requests.

    1. Log on to ECS03. Run the following command to test whether ECS03 can access the NLB instance: telnet Domain name 80.

      If you receive echo reply packets as shown in the following figure, ECS04 can access the NLB instance.image.png

    2. Log on to ECS04. Run the command to test whether ECS04 can access the NLB instance: telnet Domain name 80.

      If you receive echo reply packets as shown in the following figure, ECS04 failed to access the NLB instance.image.png

    The results show that after the NLB instance is added to Security Group 2, only IP addresses specified in the Allow rules of Security Group 2 can access the NLB instance.

References