Add an NLB instance to a security group - Server Load Balancer

To regulate access from requests, you can configure a security group to implement access control based on protocols, ports, and IP addresses. This topic describes how to add a Network Load Balancer (NLB) instance to and remove an NLB instance from a security group. This topic also describes the use scenarios of and limits on security groups.

Scenarios

Before an NLB instance is added to a security group, the listener ports of the NLB instance accept all requests by default.
After an NLB instance is added to a security group which does not contain Deny rules, the listener ports of the NLB instance accept all requests by default. If you want to allow requests only from specific IP addresses to your NLB instance, you must also create a Deny rule.
- For more information about how to deny or allow requests from specific IP addresses to your NLB instance, see Use security groups as blacklists or whitelists.
- For more information about how to configure access control based on protocols and ports, see Use security groups to implement fine-grained access control based on listeners and ports.

If your NLB instance has access control requirements and you want to control inbound traffic to the NLB instance, you can add the NLB instance to a security group and configure security group rules based on your business requirements.

Important

The outbound traffic of an NLB instance refers to responses returned to user requests. To ensure that your service is not affected, NLB security groups do not limit outbound traffic. You do not need to configure outbound rules for security groups.

Limits

Item

Security group type

Description

Security groups supported by NLB

Common security group
Enterprise security group

The security group and the NLB instance must belong to the same virtual private cloud (VPC).
You can add an NLB instance to up to four security groups. The security groups to which an NLB instance is added must be of the same type.
If an NLB instance is added to a basic security group and you want to add the instance to an advanced security group, you must remove the NLB instance from the basic security group. If an NLB instance is added to an advanced security group and you want to add the instance to a basic security group, you must remove the NLB instance from the advanced security group.
NLB instances created before September 30, 2022 during the public preview cannot be added to security groups. To use security groups, replace the NLB instances or purchase new NLB instances.

For more information about basic security groups and advanced security groups, see Basic security groups and advanced security groups.

Security groups not supported by NLB

Managed security group

For more information about managed security groups, see Managed security groups.

Prerequisites

An NLB instance is created and a listener is configured for the instance. For more information, see Create and manage an NLB instance.
A security group is created and security group rules are added. For more information, see Create a security group and Add a security group rule.

Add an instance to a security group

You can add an NLB instance to a security group to allow or forbid the NLB instance to communicate with the Internet or private networks.

Log on to the NLB console.
In the top navigation bar, select the region in which the NLB instance is deployed.
On the Instances page, click the ID of the NLB instance that you want to manage. On the Instance Details tab, click the Security Groups tab.
On the Security Groups tab, click Create Security Group. In the Add NLB Instance to Security Group dialog box, select one or more security groups and click OK.
You can add an NLB instance to at most four security groups. To create a security group, click Create Security Group from the Security Groups drop-down list. For more information, see Create a security group.
In the left-side navigation pane, click the ID of the security group that you want to manage. You can click the Inbound Policies or Outbound Policies tab to view the security group rules.
To modify an inbound rule of a security group, click the security group ID in the Basic Information section, or click ECS Console in the upper-right corner of the Security Groups tab to go to the Security Group Rules page. For more information about how to modify security group rules in the Elastic Compute Service (ECS) console, see Modify a security group rule.

Remove an NLB instance from a security group

You can remove an NLB instance from a security group based on your business requirements. You cannot remove an NLB instance from multiple security groups at a time in the console.

Log on to the NLB console.
In the top navigation bar, select the region in which the NLB instance is deployed.
On the Instances page, click the ID of the NLB instance that you want to manage. On the Instance Details tab, click the Security Groups tab.
On the Security Groups tab, click the ID of the security group that you want to manage and click Remove in the upper-right corner.
In the Remove message, click OK.

References

For more information about security groups, see Security groups.
For more information about how to configure fine-grained access control based on protocols and ports, see Use security groups to implement fine-grained access control based on listeners and ports.
For more information about how to deny or allow access from specific IP addresses to an NLB instance, see Use security groups as blacklists or whitelists.
LoadBalancerJoinSecurityGroup: adds an NLB instance to a security group.
LoadBalancerLeaveSecurityGroup: removes an NLB instance from a security group.