Add an ALB instance to a security group - Server Load Balancer

Security groups are a type of virtual firewall that controls inbound and outbound network traffic to improve instance security. Security groups can detect and filter data packets and support IP address whitelists and blacklists at the same time. Security groups also support ICMP (IPv6). This topic describes the scenarios of and limits on adding ALB instances to security groups. This topic also describes how to add ALB instances to and remove ALB instances from security groups.

Scenarios

Application Load Balancer (ALB) instances created after security groups are supported by ALB allow you to use security groups to regulate access. ALB instances created before security groups are supported by ALB allow you to use access control lists (ACLs) to regulate access.

In the following scenarios, the ALB instance can be added to a security group.

Before the ALB instance is added to a security group, the listener ports of the ALB instance allow all requests by default.
After the ALB instance is added to a security group which does not contain Deny rules, the listener ports of the ALB instance allow all requests by default. If you want to allow requests only from specific IP addresses to your ALB instance, you must also create a Deny rule.

If your ALB instance has access control requirements and you want to control inbound traffic to the ALB instance, you can add the ALB instance to a security group and configure security group rules based on your business requirements.

Important

ALB outbound traffic refers to response packets that are returned to users. To ensure service continuity, ALB security groups do not block outbound packets. You do not need to create outbound rules.

Limits

Important

By default, security groups are unavailable. To use security groups, contact your account manager.

Category

Security group type

Description

Security groups supported by ALB

Basic security groups
Advanced security groups

The security group must be in a virtual private cloud (VPC), and the security group and ALB instance must be in the same VPC.
An ALB instance can be added to at most four security groups, which must be of the same type. The same ALB instance cannot be added to a basic security group and an advanced security group at the same time.
To add an ALB instance in a basic security group to an advanced security group, remove the ALB instance from the basic security group before you can add the ALB instance to an advanced security group. To add an ALB instance in an advanced security group, remove the ALB instance from all basic security groups first.

For more information about basic security groups and advanced security groups, see Basic security groups and advanced security groups.

Security groups not supported by ALB

Managed security group

For more information about managed security groups, see Managed security groups.

Prerequisites

An ALB instance is created and listeners are created for the ALB instance. For more information, see Create an ALB instance.
A security group is created and security group rules are added to the security group. For more information, see Create a security group and Add a security group rule.

Add the ALB instance to a security group

To allow or forbid an ALB instance to access the Internet or private networks, you can add the ALB instance to a security group.

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed.
On the Instances page, click the ID of the ALB instance that you want to manage.
On the instance details page, click the Security Groups tab.
On the Security Groups tab, click Create Security Group. In the Add ALB Instance to Security Group dialog box, select one or more security groups and click OK.
An ALB instance can be added to at most four security groups. To create a security group, click Create Security Group from the Security Groups drop-down list. For more information, see Create a security group.
In the left-side navigation tree, click the ID of the security that you want to use and click the Inbound Policies or Outbound Policies tab to view the security group rules.
To modify an inbound security group rule, click the security group ID in the Basic Information section, or click ECS Console in the upper-right corner of the Security Groups tab. Then, you can modify the rule on the details page. For more information about how to modify security group rules in the Elastic Compute Service (ECS) console, see Modify a security group rule.

Remove an ALB instance from a security group

If an ALB instance no longer uses a security group, you can remove the ALB instance from the security group. You can remove an ALB instance only from one security group at a time.

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed.
On the Instances page, click the ID of the ALB instance that you want to manage. On the Instance Details page, click the Security Groups tab.
In the left-side navigation tree, click the security group ID and then click Remove in the upper-right corner.
In the Remove message, click OK.

References

For more information about security groups, see Security groups.

LoadBalancerJoinSecurityGroup: adds an ALB instance to a security group.

LoadBalancerLeaveSecurityGroup: removes an ALB instance from a security group.