To ensure the security of your resources, you can use access control policies to regulate access to your resources and allow only authorized users to access your resources. This topic describes the access control feature of Server Load Balancer (SLB).
The following types of access control policies are supported by SLB:
You can configure access control lists (ACLs) for listeners of Application Load Balancer (ALB) and Classic Load Balancer (CLB). You can create inbound rules to allow or deny requests from clients in a fine-grained manner. You can configure whitelists or blacklists for different listeners.
A security group is used as a virtual firewall to manage inbound traffic and outbound traffic and improve resource security. Security groups provide Stateful Packet Inspection (SPI) and packet filtering capabilities.
You can add Network Load Balancer (NLB) instances to security groups. If your NLB instance has access control requirements and you want to control inbound traffic to the NLB instance, you can add the NLB instance to a security group and configure security group rules based on your business requirements.
For ALB and CLB instances, you can configure whitelists or blacklists for different listeners:
- A whitelist is used for scenarios in which you want to allow access only from specific IP addresses or CIDR blocks.
Your service may be adversely affected if the whitelist is not properly configured. If a whitelist is configured for a listener, only requests from IP addresses that are added to the whitelist are forwarded by the listener. If you enable a whitelist but do not add an IP address to the whitelist, the listener forwards all requests.
- A blacklist is used for scenarios in which you want to deny access from specific IP addresses or CIDR blocks.
If a blacklist is configured for a listener but no IP addresses are added to the blacklist, the listener forwards all requests.
If an NLB instance is not added to a security group, all requests are allowed on the listening port of the NLB instance by default.
For more information about how to add an NLB instance to a security group, see the following topics: