Security risks exist in specific operations when you use Server Load Balancer (CLB) in SAE. For example, security risks may occur when you use the CLB console or OpenAPI Explorer but do not use the SAE console to configure CLB instances and custom settings, such as change the name of a listener, change the name of the backend server group, or add additional server groups. This topic describes the custom settings that you can configure when you use CLB in SAE.
Overview of CLB configuration
SAE provides the fully managed configuration of CLB to help you configure CLB instance listeners and maintain the validity of the CLB configuration during application deployment, restart, and instance scale-in and scale-out. If you modify the CLB configuration in the CLB console, SAE considers the operation an interruption. In this case, SAE no longer configures subsequent settings or overwrites the settings that you configured in the CLB console. In some cases, unexpected behavior may occur. We recommend that you allow SAE to fully manage and configure CLB instance listeners when you use SAE.
In the CLB console, you can configure the settings that are not supported in SAE. However, limits still exist. For more information, see CLB instances that are purchased by using SAE and CLB instances that are hosted by SAE.
CLB instances that are purchased by using SAE
The information of an CLB instance that is purchased by using SAE starts with sae.do.not.delete.
If you delete the application to which an CLB instance purchased by using SAE is bound or unbind the CLB instance from the application, the CLB instance is released and cannot be restored. We recommend that you do not manually manage this type of CLB instances. If you have special requirements, see CLB instances that are hosted by SAE.
Other cloud services cannot manage this type of CLB instances.
CLB instances that are hosted by SAE
CLB instances that are hosted by SAE are purchased by users in the CLB console. These CLB instances are managed by SAE. In most cases, an application can manage only one listener. You can configure the listeners that you create based on your business requirements. All configurations are valid. For example, you can create a listener and forward traffic to a listener that is hosted by SAE or a virtual backend server group that is created by SAE. If you want to modify the listener and the associated virtual backend server group that are created by SAE, you must check the validity of the operations that you want to perform. The following table describes the validity of different operations.
Type | Item | Validity |
Instance | Instance name | Y |
Instance tag | Do not perform the following operations:
| |
Elastic IP address (EIP) binding | Y | |
Change specifications | Y | |
Bandwidth | Y | |
Listener | Listener name | N |
Bandwidth | Y | |
Scheduling algorithm | Y | |
vServer group ID | N | |
Access control | Y | |
x-forward-for request field | Y | |
Gzip compression | Y | |
Session persistence | Y | |
Health check | Y | |
Timeout period | Y | |
Certificate configuration | N | |
vServer group | Name | N |
Backend server (weight, instance, and port) | N |