All Products
Search
Document Center

Server Load Balancer:Add an NLB instance to a security group

Last Updated:Mar 31, 2025

To regulate access from requests, you can configure a security group to implement access control based on protocols, ports, and IP addresses. This topic describes how to add a Network Load Balancer (NLB) instance to and remove an NLB instance from a security group. This topic also describes the use scenarios of and limits on security groups.

Scenarios

  • Before an NLB instance is added to a security group, the listener ports of the NLB instance accept all requests by default.

  • After an NLB instance is added to a security group which does not contain any Deny rules, the listener ports of the NLB instance accept all requests by default. If you want to allow requests only from specific IP addresses to your NLB instance, you must create at least one Deny rule.

  • For more information about how to deny or allow requests from specific IP addresses to your NLB instance, see Use security groups as blacklists or whitelists.

  • For more information about how to configure access control based on protocols and ports, see Use security groups to implement fine-grained access control based on listeners and ports.

If your NLB instance has access control requirements and you want to control inbound traffic to the NLB instance, you can add the NLB instance to a security group and configure security group rules based on your business requirements.

Important
  • The outbound traffic of an NLB instance refers to responses returned to user requests. To ensure that your service is not affected, NLB security groups do not limit outbound traffic. You do not need to configure outbound rules for security groups.

  • When an NLB instance is created, the system automatically creates a managed security group in the VPC where the NLB instance resides. This security group is controlled by the NLB instance, so you can view its details but cannot make changes to it. The managed security group includes the following types of security group rules:

    • Rules with priority 1: These rules allow the local IP addresses used by the NLB instance to enable communication between the instance and its backend servers, as well as for health checks.

      We recommend not adding security group rules with priority 1 that deny the NLB instance's local IP addresses to avoid conflicts, as such conflicts may disrupt communication between the NLB instance and backend servers. You can log on to the NLB console to check the local IP addresses of your NLB instance.

    • Rules with priority 100: These rules allow all IP addresses. Without any configured deny rules, an NLB instance in this security group checks all requests using its listeners.

    • The default access control rules (which are invisible) of either a basic security group or advanced security group include a rule that denies all requests. In this case, the default allow rule in the managed security group for the NLB instance takes effect.

Limits

Item

Security group type

Description

Security groups supported by NLB

  • Common security group

  • Enterprise security group

  • The security group and the NLB instance must belong to the same virtual private cloud (VPC).

  • You can add an NLB instance to up to four security groups. The security groups to which an NLB instance is added must be of the same type.

    If an NLB instance is added to a basic security group and you want to add the instance to an advanced security group, you must remove the NLB instance from the basic security group. If an NLB instance is added to an advanced security group and you want to add the instance to a basic security group, you must remove the NLB instance from the advanced security group.

  • NLB instances created before September 30, 2022 during the public preview cannot be added to security groups. To use security groups, replace the NLB instances or purchase new NLB instances.

For more information about basic security groups and advanced security groups, see Basic security groups and advanced security groups.

Security groups not supported by NLB

Managed security group

For more information about managed security groups, see Managed security groups.

Prerequisites

Add an instance to a security group

You can add an NLB instance to a security group to allow or forbid the NLB instance to communicate with the Internet or private networks.

  1. Log on to the NLB console.
  2. In the top navigation bar, select the region in which the NLB instance is deployed.

  3. On the Instances page, click the ID of the NLB instance that you want to manage. On the Instance Details tab, click the Security Groups tab.

  4. On the Security Groups tab, click Create Security Group. In the Add NLB Instance to Security Group dialog box, select one or more security groups and click OK.

    You can add an NLB instance to at most four security groups. To create a security group, click Create Security Group from the Security Groups drop-down list. For more information, see Create a security group.

  5. In the left-side navigation pane, click the ID of the security group that you want to manage. You can click the Inbound Policies or Outbound Policies tab to view the security group rules.

    To modify an inbound rule of a security group, click the security group ID in the Basic Information section, or click ECS Console in the upper-right corner of the Security Groups tab to go to the Security Group Rules page. For more information about how to modify security group rules in the Elastic Compute Service (ECS) console, see Modify a security group rule.

Remove an NLB instance from a security group

You can remove an NLB instance from a security group based on your business requirements. You cannot remove an NLB instance from multiple security groups at a time in the console.

  1. Log on to the NLB console.
  2. In the top navigation bar, select the region in which the NLB instance is deployed.

  3. On the Instances page, click the ID of the NLB instance that you want to manage. On the Instance Details tab, click the Security Groups tab.

  4. On the Security Groups tab, click the ID of the security group that you want to manage and click Remove in the upper-right corner.

  5. In the Remove message, click OK.

References