If you want to deny or allow requests from specific IP addresses to a Network Load Balancer (NLB) instance, you can configure a security group for the NLB instance to implement access control. NLB security groups can be used as whitelists or blacklists, which implement fine-grained access control.
Sample scenarios
By default—whether or not the NLB instance is associated with a security group—its listener ports accept all inbound requests. Adding a security group with only Allow rules does not change this behavior. To restrict access to specific IP addresses, add at least one Deny rule to the security group.
NLB security groups apply to inbound traffic only. Outbound traffic (responses to client requests) is never restricted, so no outbound rules are required.
Managed security group
When you create an NLB instance, the system automatically creates a managed security group in the same virtual private cloud (VPC). This security group is read-only—you can view its rules but cannot modify them.
The managed security group contains the following rules:
Priority | Action | Protocol | Source | Port range | Description |
1 | Allow | All | NLB local IP addresses | All | Enables communication between the NLB instance and its backend servers, and allows health check traffic |
100 | Allow | All | 0.0.0.0/0 | All | Allows all inbound traffic by default |
(invisible) | Deny | All | 0.0.0.0/0 | All | Default deny-all rule built into basic and advanced security groups; the priority-100 Allow rule takes precedence |
Do not add Deny rules with priority 1 that target the NLB local IP addresses. Such rules conflict with the managed security group and can disrupt communication between the NLB instance and its backend servers. To check the local IP addresses of your NLB instance, log on to the NLB console.
The following scenarios are used to demonstrate how whitelists and blacklists work. For more information, see Security group rules.
A blacklist denies access from specific IP addresses.

A whitelist allows access only from specific IP addresses.

Limitations
|
Item |
Details |
|
Supported security group types |
Basic security group, advanced security group |
|
Unsupported security group type |
Managed security group |
|
Same VPC required |
The security group and the NLB instance must belong to the same VPC |
|
Maximum number of security groups |
Up to 4 security groups per NLB instance |
|
Mixed types not allowed |
All security groups associated with an NLB instance must be of the same type. To switch from basic to advanced, remove the NLB instance from the basic security group first. To switch from advanced to basic, remove the NLB instance from the advanced security group first |
|
Quota calculation |
Available security group slots = ENI security group quota for ECS − 1 (reserved for the managed security group) |
|
Security group rule quota |
Available rule slots = ENI security group rule quota for ECS − number of rules in the managed security group |
|
Legacy instances |
NLB instances created before September 30, 2022 (during the public preview) cannot be added to security groups. Replace these instances or purchase new ones to use this feature |
For details on basic and advanced security group differences, see Basic and advanced security groups.
Prerequisites
Four Elastic Compute Service (ECS) instances are created. For more information about how to create an ECS instance, see Purchase an ECS instance.
ECS01 and ECS02 function as backend servers of the NLB instance. Applications are deployed on ECS01 and ECS02.
The following sample commands are used to deploy test applications on ECS01 and ECS02:
ECS03 and ECS04 are Internet-facing instances used to access the NLB instance. You can also use an existing Linux server to access the NLB instance. In this case, you do not need to create ECS03 and ECS04.
A domain name is registered, an Internet content provider (ICP) number is obtained for the domain name, and a CNAME record is created to map the custom domain name to the domain name of your NLB instance. For more information, see Register a domain name, ICP filing process, and Step 4: Create a DNS record.
The following table describes the configurations of the ECS instances used in this topic.
Instance
ECS configuration
VPC
IP address
Procedure
ECS01
Instance type: ecs.u1-c1m1.large
CPUs and memory: 2 vCPUs and 2 GiB of memory
Operating system: Alibaba Cloud Linux 3.2104 LTS 64-bit
Network type: VPC
VPC01
Private: 192.168.0.24
Public: not assigned
The instances are specified as the backend servers of the NLB instance.
ECS02
Private: 192.168.0.37
Public: not assigned
ECS03
VPC02
Private: 192.168.0.25
Public: 47.XX.XX.55
The instances are used as clients to access the NLB instance.
ECS04
Private: 192.168.0.26
Public: 101.XX.XX.251
Step 1: Create a server group
Log on to the NLB console.
In the top navigation bar, select the region where you want to create a server group. In this example, China (Hangzhou) is selected.
-
In the left-side navigation pane, choose NLB > Server Groups.
On the Server Group page, click Create Server Group.
In the Create Server Group dialog box, set the following parameters and click Create.
The following table describes the key parameters for creating a server group. Use the default values for other parameters. For more information, see Create a server group.
Parameter
Description
Server Group Type
Specify a type of server group. In this example, Server is selected.
Server Group Name
Enter a name for the server group. In this example, RS01 is used.
VPC
Select a VPC from the drop-down list. In this example, VPC1 is selected. The server group must reside in the same VPC as ECS01 and ECS02.
Backend Server Protocol
Select a backend protocol. In this example, TCP is selected.
In the The server group is created dialog box, click Add Backend Server.
On the Backend Servers tab, click Add Backend Server.
In the Add Backend Server panel, select ECS01 and ECS02 and click Next.
Specify ports and weights for the backend servers and click OK. In this example, port 80 is specified and the default weight is used.
Step 2: Create an NLB instance and configure listeners
In the left-side navigation pane, choose . On the Instances page, click Create NLB.
On the Network Load Balancer (Pay-As-You-Go) page, set the following parameters.
The following table describes only some of the parameters. For more information about other parameters, see Create an instance.
Region: In this example, China (Hangzhou) is selected.
Network Type: In this example, Public is selected.
VPC: In this example, VPC01 is selected.
Click Buy Now and complete the payment.
Return to the Instances page, find the NLB instance that you created, and click the ID of the NLB instance.
Click the Listener tab. On the Listener tab, click Quick Create Listener. In the Quick Create Listener dialog box, set the following parameters to create a TCP listener that uses port 80 and click OK.
Parameter
Procedure
Listener Protocol
Select a listener protocol. In this example, TCP is selected.
Listener Port
In this example, port 80 is used.
Server Group
Select Server and select a server group from the drop-down list next to Server.
In this example, the server group created in Step 1: Create a server group is selected.
Check the accessibility of the NLB instance when the NLB instance is not added to a security group. The command
curl -s http://whatismyip.akamai.com/can be used to query the public IP address of the client which sends the request.Log on to ECS03. Run the following command to test whether ECS03 can access the NLB instance:
telnet Domain name 80.If you receive echo reply packets as shown in the following figure, ECS03 can access the NLB instance.
Log on to ECS04. Run the following command to test whether ECS04 can access the NLB instance:
telnet Domain name 80.If you receive echo reply packets as shown in the following figure, ECS04 can access the NLB instance.
The results show that before the NLB instance is added to a security group, ECS03 and ECS04 can access the NLB instance.
Step 3: Create a security group
Before you add your NLB instance to a security group, you must create a security group in the ECS console. This section describes how to create two security groups.
Security Group 1 as a blacklist
Add a Deny rule that denies access from specified IP addresses. In this example, a Deny rule that denies access from the public IP address 47.XX.XX.55 of ECS03 is created. You can keep the default security group rule. The following table describes the configurations of the rule.
Policy
Priority
Protocol
Port range
Authorization object
Deny
1
All
Destination: -1/-1
Source: 47.XX.XX.55
Security Group 2 as a whitelist
Add an Allow rule that allows access from specific IP addresses and a Deny rule that denies access from specific IP addresses. In this example, an Allow rule that allows access from the public IP address 47.XX.XX.55 of ECS03, and a Deny rule are created. The following table describes the configurations of the rules.
Policy
Priority
Protocol
Port range
Authorization object
Yes
1
All
Destination: -1/-1
Source: 47.XX.XX.55
Deny
100
All
Destination: -1/-1
Source: 0.0.0.0/0
Log on to the ECS console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region where you want to create a security group. In this example, China (Hangzhou) is selected.
On the Security Groups page, click Create Security Group.
On the Create Security Group page, set the parameters in the Basic Information section.
Specify the following parameters. For more information about other parameters, see Create a security group.
Network: In this example, VPC 1 is selected. The security group must reside in the same VPC as the NLB instance.
Security Group Type: In this example, Basic Security Group is selected.
On the Create Security Group page, set the parameters in the Rules section.
On the Inbound tab, click Add Rule to add rules based on the configurations of the rules in Security Group 1 and Security Group 2.
Click Create Security Group.
Step 4: Add the NLB instance to the security group and verify the result
Use Security Group 1 as a blacklist
Add the NLB instance to Security Group 1 created in Step 3, and test whether the rule in Security Group 1 takes effect on the NLB instance.
Log on to the NLB console.
In the top navigation bar, select the region where the NLB instance is deployed. In this example, China (Hangzhou) is selected.
In the left-side navigation pane, choose NLB > Instances. On the page that appears, find the NLB instance created in Step 2: Create an NLB instance and configure listeners and click the instance ID. On the instance details page, click the Security Groups tab.
On the Security Groups tab, click Create Security Group. In the Add NLB Instance to Security Group dialog box, select the security group created in Step 3 and click OK.
In the left-side panel, click the ID of the security group that you want to manage. You can click the Inbound Policies or Outbound Policies tab to view the security group rules.
The following table describes the parameters that are relevant to this topic.
Policy
Priority
Protocol
Port range
Authorization object
Deny
1
All
Destination: -1/-1Source: 47.XX.XX.55Test whether access to the NLB instance in the security group is denied. The command
curl -s http://whatismyip.akamai.comcan be used to query the public IP address of the client which sends requests.Log on to ECS03. Run the following command to test whether ECS03 can access the NLB instance:
telnet Domain name 80.If you receive echo reply packets as shown in the following figure, ECS04 failed to access the NLB instance.
Log on to ECS04. Run the following command to test whether ECS04 can access the NLB instance:
telnet Domain name 80.If you receive echo reply packets as shown in the following figure, ECS04 can access the NLB instance.
The results show that after the NLB instance is added to Security Group 1, IP addresses specified in the Deny rule can no longer access the NLB instance. IP address not specified in the Deny rule can access the NLB instance.
Use Security Group 2 as a whitelist
Add the NLB instance to Security Group 2 created in Step 3, and test whether the rules in Security Group 2 take effect on the NLB instance.
Log on to the NLB console.
In the top navigation bar, select the region where the NLB instance is deployed. In this example, China (Hangzhou) is selected.
In the left-side navigation pane, choose NLB > Instances. On the page that appears, find the NLB instance created in Step 2: Create an NLB instance and configure listeners and click the instance ID. On the instance details page, click the Security Groups tab.
On the Security Groups tab, click Create Security Group. In the Add NLB Instance to Security Group dialog box, select Security Group 2 created in Step 3 and click OK.
In the left-side panel, click the ID of the security group that you want to manage. You can click the Inbound Policies or Outbound Policies tab to view the security group rules.
Policy
Priority
Protocol
Port range
Authorization object
Yes
1
All
Destination: -1/-1
Source: 47.XX.XX.55
Deny
100
All
Destination: -1/-1
Source: 0.0.0.0/0
Test whether access to the NLB instance in the security group is denied. The command
curl -s http://whatismyip.akamai.comcan be used to query the public IP address of the client which sends requests.Log on to ECS03. Run the following command to test whether ECS03 can access the NLB instance:
telnet Domain name 80.If you receive echo reply packets as shown in the following figure, ECS04 can access the NLB instance.
Log on to ECS04. Run the command to test whether ECS04 can access the NLB instance:
telnet Domain name 80.If you receive echo reply packets as shown in the following figure, ECS04 failed to access the NLB instance.
The results show that after the NLB instance is added to Security Group 2, only IP addresses specified in the Allow rules of Security Group 2 can access the NLB instance.
References
For more information about how to add an NLB instance to and remove an NLB instance from a security group, see Add an NLB instance to a security group.
For more information about how to enable fine-grained access control based on listeners or ports, see Configure security groups for NLB instances.
For more information about security groups, see Security group.