To regulate access from requests, you can configure a security group to implement access control based on protocols, ports, and IP addresses. This topic describes how to add a Network Load Balancer (NLB) instance to and remove an NLB instance from a security group. This topic also describes the use scenarios of and limits on security groups.
Scenarios
Before an NLB instance is added to a security group, the listener ports of the NLB instance accept all requests by default.
After an NLB instance is added to a security group which does not contain any Deny rules, the listener ports of the NLB instance accept all requests by default. If you want to allow requests only from specific IP addresses to your NLB instance, you must create at least one Deny rule.
For more information about how to deny or allow requests from specific IP addresses to your NLB instance, see Use security groups as blacklists or whitelists.
For more information about how to configure access control based on protocols and ports, see Use security groups to implement fine-grained access control based on listeners and ports.
If your NLB instance has access control requirements and you want to control inbound traffic to the NLB instance, you can add the NLB instance to a security group and configure security group rules based on your business requirements.
The outbound traffic of an NLB instance refers to responses returned to user requests. To ensure that your service is not affected, NLB security groups do not limit outbound traffic. You do not need to configure outbound rules for security groups.
When an NLB instance is created, the system automatically creates a managed security group in the VPC where the NLB instance resides. This security group is controlled by the NLB instance, so you can view its details but cannot make changes to it. The managed security group includes the following types of security group rules:
Rules with priority 1: These rules allow the local IP addresses used by the NLB instance to enable communication between the instance and its backend servers, as well as for health checks.
We recommend not adding security group rules with priority 1 that deny the NLB instance's local IP addresses to avoid conflicts, as such conflicts may disrupt communication between the NLB instance and backend servers. You can log on to the NLB console to check the local IP addresses of your NLB instance.
Rules with priority 100: These rules allow all IP addresses. Without any configured deny rules, an NLB instance in this security group checks all requests using its listeners.
The default access control rules (which are invisible) of either a basic security group or advanced security group include a rule that denies all requests. In this case, the default allow rule in the managed security group for the NLB instance takes effect.
Limits
Item | Security group type | Description |
Security groups supported by NLB |
|
For more information about basic security groups and advanced security groups, see Basic security groups and advanced security groups. |
Security groups not supported by NLB | Managed security group | For more information about managed security groups, see Managed security groups. |
Prerequisites
An NLB instance is created and a listener is configured for the instance. For more information, see Create and manage an NLB instance.
A security group is created and security group rules are added. For more information, see Create a security group and Add a security group rule.
Add an instance to a security group
You can add an NLB instance to a security group to allow or forbid the NLB instance to communicate with the Internet or private networks.
- Log on to the NLB console.
In the top navigation bar, select the region in which the NLB instance is deployed.
On the Instances page, click the ID of the NLB instance that you want to manage. On the Instance Details tab, click the Security Groups tab.
On the Security Groups tab, click Create Security Group. In the Add NLB Instance to Security Group dialog box, select one or more security groups and click OK.
You can add an NLB instance to at most four security groups. To create a security group, click Create Security Group from the Security Groups drop-down list. For more information, see Create a security group.
In the left-side navigation pane, click the ID of the security group that you want to manage. You can click the Inbound Policies or Outbound Policies tab to view the security group rules.
To modify an inbound rule of a security group, click the security group ID in the Basic Information section, or click ECS Console in the upper-right corner of the Security Groups tab to go to the Security Group Rules page. For more information about how to modify security group rules in the Elastic Compute Service (ECS) console, see Modify a security group rule.
Remove an NLB instance from a security group
You can remove an NLB instance from a security group based on your business requirements. You cannot remove an NLB instance from multiple security groups at a time in the console.
- Log on to the NLB console.
In the top navigation bar, select the region in which the NLB instance is deployed.
On the Instances page, click the ID of the NLB instance that you want to manage. On the Instance Details tab, click the Security Groups tab.
On the Security Groups tab, click the ID of the security group that you want to manage and click Remove in the upper-right corner.
In the Remove message, click OK.
References
For information about security group types, such as managed security groups and advanced security groups, see Security group types.
For more information about how to configure fine-grained access control based on protocols and ports, see Use security groups to implement fine-grained access control based on listeners and ports.
For more information about how to deny or allow access from specific IP addresses to an NLB instance, see Use security groups as blacklists or whitelists.
LoadBalancerJoinSecurityGroup: adds an NLB instance to a security group.
LoadBalancerLeaveSecurityGroup: removes an NLB instance from a security group.