To ensure the security of your resources, you can use access control policies to regulate access to your resources and allow only authorized users to access your resources. This topic describes the access control feature of Server Load Balancer (SLB).
Overview
The following types of access control policies are supported by SLB:
ACL
You can configure access control lists (ACLs) for listeners of Application Load Balancer (ALB) and Classic Load Balancer (CLB). You can create inbound rules to allow or deny requests from clients in a fine-grained manner. You can configure whitelists or blacklists for different listeners.
For more information, see Access control for ALB and Access control for CLB.
Security group
A security group is used as a virtual firewall to manage inbound traffic and outbound traffic and improve resource security. Security groups provide Stateful Packet Inspection (SPI) and packet filtering capabilities.
You can add ALB and Network Load Balancer (NLB) instances to security groups. If your ALB or NLB instance has access control requirements and you want to control inbound traffic to the ALB or NLB instance, you can add the ALB or NLB instance to a security group and configure security group rules based on your business requirements.
ACL
For ALB and CLB instances, you can configure whitelists or blacklists for different listeners:
As a blacklist: All requests from the IP addresses or CIDR blocks in the ACL are denied.
Applicable scenarios: Block all requests from specific IP addresses.
Security group
Before an ALB or NLB instance is added to a security group, the listener ports of the ALB or NLB instance accept all requests by default.
If your ALB or NLB instance has access control requirements and you want to control inbound traffic to the ALB or NLB instance, you can add the ALB or NLB instance to a security group and configure security group rules based on your business requirements.
The outbound traffic of an ALB or NLB instance refers to responses returned to user requests. To ensure that your service is not affected, ALB or NLB security groups do not limit outbound traffic. You do not need to configure outbound rules for security groups.
When an ALB or NLB instance is created, the system automatically creates a managed security group in the VPC where the ALB or NLB instance resides. This security group is controlled by the ALB or NLB instance, so you can view its details but cannot make changes to it. The managed security group includes the following types of security group rules:
Rules with priority 1: These rules allow the local IP addresses used by the ALB or NLB instance to enable communication between the instance and its backend servers, as well as for health checks.
We recommend not adding security group rules with priority 1 that deny the ALB or NLB instance's local IP addresses to avoid conflicts, as such conflicts may disrupt communication between the ALB or NLB instance and backend servers. You can log on to the ALB console or NLB console to check the local IP addresses of your ALB or NLB instance.
Rules with priority 100: These rules allow all IP addresses. Without any configured deny rules, an ALB or NLB instance in this security group checks all requests using its listeners.
The default access control rules (which are invisible) of either a basic security group or advanced security group include a rule that denies all requests. In this case, the default allow rule in the managed security group for the ALB or NLB instance takes effect.
For more information about ALB security group configurations, see:
For more information about NLB security group configurations, see: