All Products
Search
Document Center

Server Load Balancer:Use security groups as blacklists or whitelists for ALB

Last Updated:Dec 10, 2024

A security group is a virtual firewall that controls inbound and outbound traffic of Application Load Balancer (ALB) based on inbound and outbound rules. To allow or reject access from specific IP addresses to an ALB instance, you can add the ALB instance to a security group. A security group can function as a blacklist or whitelist for an ALB instance. You can create security group rules to implement finer-grained access control.

Scenarios

  • Before the ALB instance is added to a security group, the listener ports of the ALB instance allow all requests by default.

  • After the ALB instance is added to a security group which does not contain Deny rules, the listener ports of the ALB instance allow all requests by default. If you want to allow requests only from specific IP addresses to your ALB instance, you must also create a Deny rule.

If you want to control inbound access to your ALB instance, you can add the ALB instance to a security group and configure security group rules based on your security requirements.

Important
  • ALB outbound traffic refers to response packets that are returned to users. To ensure service continuity, ALB security groups do not block outbound packets. You do not need to create outbound rules.

  • When you create a security group, we recommend that you do not add the local IP address of ALB to Deny rules whose priority is 1. Otherwise, the security group rules may conflict with the managed security groups of ALB and interrupt communication between ALB and backend servers. To view the local IP address of an ALB instance, log on to the ALB console and go to the details page of the ALB instance.

This topic describes how to use a security group as a blacklist and a whitelist in two scenarios. For more information about security group rule priorities, see Sorting policy of security group rules.

Blacklist: Configure the ALB security group to deny access from specific IP addresses

A company deployed businesses on ALB in a region of Alibaba Cloud. Security inspection detects malicious requests and attacks from an IP address, such as 121.XX.XX.12. Such behaviors can cause business risks and security risks such as data leaks.

To resolve this issue, the company can configure a security group rule for the ALB instance to deny access from specific IP addresses, such as 121.XX.XX.12. The security group rule can block malicious requests and attacks from specific IP addresses to improve business security and stability.

image

Whitelist: Configure the ALB security group to allow access from specific IP addresses

A company deployed businesses that contain sensitive data on ALB in a region of Alibaba Cloud. To restrict access to the ALB instance, the company can configure a security group rule to allow access only from specific IP addresses, such as 121.XX.XX.12. Requests from other IP addresses are rejected.

image

Limits

Important

By default, security groups are unavailable. To use security groups, contact your account manager.

Category

Security group type

Description

Security groups supported by ALB

  • Basic security groups

  • Advanced security groups

  • The security group must be in a virtual private cloud (VPC), and the security group and ALB instance must be in the same VPC.

  • An ALB instance can be added to at most four security groups, which must be of the same type. The same ALB instance cannot be added to a basic security group and an advanced security group at the same time.

    To add an ALB instance in a basic security group to an advanced security group, remove the ALB instance from the basic security group before you can add the ALB instance to an advanced security group. To add an ALB instance in an advanced security group, remove the ALB instance from all basic security groups first.

For more information about basic security groups and advanced security groups, see Basic security groups and advanced security groups.

Security groups not supported by ALB

Managed security group

For more information about managed security groups, see Managed security groups.

Prerequisites

  • A virtual private cloud (VPC) named VPC1 is created in the China (Hangzhou) region. A vSwitch named VSW1 is created in Zone H and another vSwitch named VSW2 is created in Zone I. For more information, see Create a VPC and a vSwitch.

  • Two Elastic Compute Service (ECS) instances are created in VSW1, and applications are deployed on ECS01 and ECS02.

    • For more information about how to create an ECS instance, see Create an instance by using the wizard.

    • The following commands show how to deploy applications on ECS01 and ECS02:

      Commands for deploying an application on ECS01

      yum install -y nginx
      systemctl start nginx.service
      cd /usr/share/nginx/html/
      echo "Hello World !  This is ECS01." > index.html

      Commands for deploying an application on ECS02

      yum install -y nginx
      systemctl start nginx.service
      cd /usr/share/nginx/html/
      echo "Hello World !  This is ECS02." > index.html
  • A domain name is registered, and an Internet content provider (ICP) number is obtained for the domain name. For more information, see Register a domain name on Alibaba Cloud and Overview.

The following table describes the IP addresses of the clients and servers. The IP addresses are for reference only.

Category

IP

Description

ECS01 (server)

  • Private: 192.168.10.22

  • Public: not assigned

The backend servers of the ALB instance.

ECS02 (server)

  • Private: 192.168.10.35

  • Public: not assigned

Client03

Public: 121.XX.XX.12

The client that accesses the ALB instance.

Client04

Public: 121.XX.XX.45

Procedure

Step 1: Create a server group

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region in which you want to create a server group. In this example, China (Hangzhou) is selected.

  3. In the left-side navigation pane, choose ALB > Server Groups.

  4. On the Server Groups page, click Create Server Group.

  5. In the Create Server Group dialog box, configure the parameters and click Create.

    The following table describes the parameters that are relevant to this topic. You can use the default values for the other parameters. For more information, see Create and manage server groups.

    Parameter

    Description

    Server Group Type

    Specify a type of server group. In this example, Server is selected.

    Server Group Name

    Enter a name for the server group.

    VPC

    Select the VPC in which you want to create the server group. In this example, VPC1 is selected.

    Backend Server Protocol

    Select a backend protocol. HTTP is selected in this example.

    Scheduling Algorithm

    The scheduling algorithm. In this example, Weighted Round-robin is selected.

  6. In the The server group is created dialog box, click Add Backend Server.

  7. On the Backend Servers tab, click Add Backend Server.

  8. In the Add Backend Server panel, select ECS01 and ECS02 and click Next.

  9. Specify ports and weights for the backend servers and click OK.

Step 2: Create an ALB instance and add a listener

  1. Log on to the ALB console.
  2. On the Instances page, click Create ALB.

  3. On the buy page, configure the following parameters.

    The following table describes only some of the parameters. Other parameters use the default values. For more information, see Create an ALB instance.

    • Region: the region in which you want to create the ALB instance. In this example, China (Hangzhou) is selected.

    • Network Type: the network type of the ALB instance. In this example, Internet is selected.

    • VPC: the VPC in which you want to create the ALB instance. In this example, VPC1 is selected.

  4. Click Buy Now and complete the payment.

  5. Return to the Instances page and click the ID of the ALB instance.

  6. Click the Listener tab and then click Quick Create Listener.

  7. In the Quick Create Listener dialog box, configure the parameters and click OK. In this example, an HTTP listener that listens on port 80 is created. The following table describes the parameters.

    Parameter

    Description

    Listener Protocol

    Select a listener protocol. In this example, HTTP is selected.

    Listener Port

    Enter a listener port. In this example, port 80 is specified.

    Server Group

    Select Server Type and select a server group from the drop-down list next to Server Type. In this example, the server group created in Step 1 is selected.

Step 3: Configure a CNAME record

In actual business scenarios, we recommend that you use CNAME records to map custom domain names to the domain name of your ALB instance.

  1. In the left-side navigation pane, choose ALB > Instances.

  2. On the Instances page, copy the domain name of the ALB instance.

  3. Perform the following steps to create a CNAME record:

    Note

    If your domain name is not registered by using Alibaba Cloud Domains, you must add your domain name to Alibaba Cloud DNS before you can configure a DNS record. For more information, see Manage domain names.

    1. Log on to the Alibaba Cloud DNS console.

    2. On the Authoritative DNS Resolution page, find your domain name and click DNS Settings in the Actions column.

    3. On the DNS Settings tab of the domain name details page, click Add DNS Record.

    4. In the Add DNS Record panel, configure the parameters and click OK. The following table describes the parameters.

      Parameter

      Description

      Record Type

      Select CNAME from the drop-down list.

      Hostname

      Enter the prefix of the domain name. In this example, @ is entered.

      Note

      If you use a root domain name, enter @.

      DNS Request Source

      Select Default.

      Record Value

      Enter the CNAME, which is the domain name of the ALB instance.

      TTL

      Select a time-to-live (TTL) value for the CNAME record to be cached on the DNS server. In this example, the default value is used.

Step 4: Create security groups

Create a security group in the ECS console. In this example, two security groups are created.

  • Use Security Group 1 as a blacklist

    Add a Deny rule that denies access from specified IP addresses. In this example, a security group that denies access from the public IP address 121.XX.XX.12 is created. You can retain the default security group rules.

    Action

    Priority

    Protocol Type

    Port Range

    Authorization Object

    Deny

    1

    All

    Destination: -1/-1

    Source: 121.XX.XX.12

  • Use Security Group 2 as a whitelist

    Add an Allow rule that allows access from specific IP addresses and a Deny rule that denies access from specific IP addresses. In this example, an Allow rule that allows access from the public IP address 121.XX.XX.12 and a Deny rule are created.

    Action

    Priority

    Protocol Type

    Port Range

    Authorization Object

    Allow

    1

    All

    Destination: -1/-1

    Source: 121.XX.XX.12

    Deny

    100

    All

    Destination: -1/-1

    Source: 0.0.0.0/0

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Network & Security > Security Groups.

  3. In the top navigation bar, select the region in which you want to create a security group. In this example, China (Hangzhou) is selected.

  4. On the Security Groups page, click Create Security Group.

  5. On the Create Security Group page, set the parameters in the Basic Information section.

    Specify the following parameters. For more information about other parameters, see Create a security group.

    • Network: In this example, VPC is selected.

    • Security Group Type: In this example, Basic Security Group is selected.

  6. On the Create Security Group page, set the parameters in the Access Rule section.

    1. On the Inbound tab, click Add Rule to add rules based on the configurations of the rules in Security Group 1 and Security Group 2.

    2. Click Create Security Group.

Step 5: Test access control before the ALB instance is added to a security group

Use Client03 and Client04 to test the availability of ECS01 and ECS02.

  1. Log on to Client03 and run the curl http://Domain name command. The following figure shows that the Hello World! This is ECS01. packet is returned. This packet indicates that Client03 can access the ALB instance.

    image

  2. Log on to Client04 and run the curl http://Domain name command. The following figure shows that the Hello World! This is ECS02. packet is returned, which indicates that Client04 can access the ALB instance.

    image

Step 6: Add the ALB instance to the security groups and verify the result

Use Security Group 1 as a blacklist

Add the ALB instance to Security Group 1 created in Step 4: Create a security group to test whether the rules in Security Group 1 take effect on the ALB instance.

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region of the ALB instance. In this example, China (Hangzhou) is selected.

  3. On the ALB Instance page, click the ID of the ALB instance that you want to manage. On the Instance Details tab, click the Security Groups tab.

  4. On the Security Groups tab, click Create Security Group. In the Add ALB to Security Group dialog box, select Security Group 1 created in Step 4: Create security groups and click OK.

  5. In the left-side panel, click the ID of the security group that you want to manage. You can click the Inbound Policies or Outbound Policies tab to view the security group rules.

    The following table describes only parameters that are relevant to this topic.

    Action

    Priority

    Protocol Type

    Port Range

    Authorization Object

    Deny

    1

    All

    Destination: -1/-1

    Source: 121.XX.XX.12

  6. Add the ALB instance to the security group and test the result.

    1. Log on to Client03 and run the curl http://Domain name command. The following figure shows that the curl: (7) Failed connect to *********:80; Connection timed out packet is returned. This packet indicates that access from Client03 is denied by the ALB instance.

      image

    2. Log on to Client04 and run the curl http://Domain name command. The following figure shows that the Hello World! This is ECS01. packet is returned. This packet indicates that Client04 can access the ALB instance.

      image

The results show that after the ALB instance is added to Security Group 1 which functions as a blacklist, the Deny rule of Security Group 1 denies access from the specified IP address to the ALB instance. IP addresses that are not specified in the Deny rule can access the ALB instance.

Use Security Group 2 as a whitelist

Add the ALB instance to Security Group 2 created in Step 4: Create security groups and test whether the rules of Security Group 2 take effect on the ALB instance.

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region of the ALB instance. In this example, China (Hangzhou) is selected.

  3. On the ALB Instance page, click the ID of the ALB instance that you want to manage. On the Instance Details tab, click the Security Groups tab.

  4. On the Security Groups tab, click Create Security Groups. In the Add ALB to Security Group dialog box, select Security Group 2 created in Step 4: Create security groups and click OK.

  5. In the left-side panel, click the ID of the security group that you want to manage. You can click the Inbound Policies or Outbound Policies tab to view the security group rules.

    The following table describes only parameters that are relevant to this topic.

    Action

    Priority

    Protocol Type

    Port Range

    Authorization Object

    Yes

    1

    All

    Destination: -1/-1

    Source: 121.XX.XX.12

    Deny

    100

    All

    Destination: -1/-1

    Source: All IPv4 Addresses (0.0.0.0/0)

  6. Add the ALB instance to the security group and test the result.

    1. Log on to Client03 and run the curl http://Domain name command. The following figure shows that the Hello World! This is ECS01. packet is returned. This packet indicates that Client03 can access the ALB instance.

      image

    2. Log on to Client04 and run the curl http://Domain name command. The following figure shows that the curl: (7) Failed connect to *********:80; Connection timed out packet is returned. This packet indicates that access from Client04 is denied by the ALB instance.

      image

The test results show that after the ALB instance is added to Security Group 2 which functions as a whitelist, only IP addresses in the Allow rule can access the ALB instance.

References