All Products
Search
Document Center

Server Load Balancer:Add an ALB instance to a security group

Last Updated:Dec 09, 2024

Security groups are a type of virtual firewall that controls inbound and outbound network traffic to improve instance security. Security groups can detect and filter data packets and support IP address whitelists and blacklists at the same time. Security groups also support ICMP (IPv6). This topic describes the scenarios of and limits on adding ALB instances to security groups. This topic also describes how to add ALB instances to and remove ALB instances from security groups.

Scenarios

Application Load Balancer (ALB) instances created after security groups are supported by ALB allow you to use security groups or access control lists (ACLs) to regulate access. ALB instances created before security groups are supported by ALB allow you to use only ACLs to regulate access.

In the following scenarios, the ALB instance can be added to a security group.

  • Before the ALB instance is added to a security group, the listener ports of the ALB instance allow all requests by default.

  • After the ALB instance is added to a security group which does not contain Deny rules, the listener ports of the ALB instance allow all requests by default. If you want to allow requests only from specific IP addresses to your ALB instance, you must also create a Deny rule.

If your ALB instance has access control requirements and you want to control inbound traffic to the ALB instance, you can add the ALB instance to a security group and configure security group rules based on your business requirements.

Important
  • ALB outbound traffic refers to response packets that are returned to users. To ensure service continuity, ALB security groups do not block outbound packets. You do not need to create outbound rules.

  • When you create a security group, we recommend that you do not add the local IP address of ALB to Deny rules whose priority is 1. Otherwise, the security group rules may conflict with the managed security groups of ALB and interrupt communication between ALB and backend servers. To view the local IP address of an ALB instance, log on to the ALB console and go to the details page of the ALB instance.

Limits

Important

By default, security groups are unavailable. To use security groups, contact your account manager.

Category

Security group type

Description

Security groups supported by ALB

  • Basic security groups

  • Advanced security groups

  • The security group must be in a virtual private cloud (VPC), and the security group and ALB instance must be in the same VPC.

  • An ALB instance can be added to at most four security groups, which must be of the same type. The same ALB instance cannot be added to a basic security group and an advanced security group at the same time.

    To add an ALB instance in a basic security group to an advanced security group, remove the ALB instance from the basic security group before you can add the ALB instance to an advanced security group. To add an ALB instance in an advanced security group, remove the ALB instance from all basic security groups first.

For more information about basic security groups and advanced security groups, see Basic security groups and advanced security groups.

Security groups not supported by ALB

Managed security group

For more information about managed security groups, see Managed security groups.

Feature comparison

Both ACLs and security groups regulate access by configuring IP address blacklists and whitelists. The following table compares the two features:

Item

ACL

Security group

Can be configured for

Listeners.

  • Instances.

  • Listeners. Access control can be configured based on listeners and ports.

Blacklist and whitelist

You can configure either whitelists or blacklists for a listener.

You can configure both blacklists and whitelists for an instance or a listener.

IP version

Supports IPv4 addresses.

Supports both IPv4 and IPv6 addresses.

Limits

For ACL limits, see Limits.

For security group limits, see Limits.

Prerequisites

Add the ALB instance to a security group

To allow or forbid an ALB instance to access the Internet or private networks, you can add the ALB instance to a security group.

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where the ALB instance is deployed.

  3. On the Instances page, click the ID of the ALB instance that you want to manage.

  4. On the instance details page, click the Security Groups tab.

  5. On the Security Groups tab, click Create Security Group. In the Add ALB Instance to Security Group dialog box, select one or more security groups and click OK.

    An ALB instance can be added to at most four security groups. To create a security group, click Create Security Group from the Security Groups drop-down list. For more information, see Create a security group.

  6. In the left-side navigation tree, click the ID of the security that you want to use and click the Inbound Policies or Outbound Policies tab to view the security group rules.

    To modify an inbound security group rule, click the security group ID in the Basic Information section, or click ECS Console in the upper-right corner of the Security Groups tab. Then, you can modify the rule on the details page. For more information about how to modify security group rules in the Elastic Compute Service (ECS) console, see Modify a security group rule.

Remove an ALB instance from a security group

If an ALB instance no longer uses a security group, you can remove the ALB instance from the security group. You can remove an ALB instance only from one security group at a time.

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where the ALB instance is deployed.

  3. On the Instances page, click the ID of the ALB instance that you want to manage. On the Instance Details page, click the Security Groups tab.

  4. In the left-side navigation tree, click the security group ID and then click Remove in the upper-right corner.

  5. In the Remove message, click OK.

References