Security groups are a type of virtual firewall that controls inbound and outbound network traffic to improve instance security. Security groups can detect and filter data packets and support IP address whitelists and blacklists at the same time. Security groups also support ICMP (IPv6). This topic describes the scenarios of and limits on adding ALB instances to security groups. This topic also describes how to add ALB instances to and remove ALB instances from security groups.
Scenarios
Application Load Balancer (ALB) instances created after security groups are supported by ALB allow you to use security groups or access control lists (ACLs) to regulate access. ALB instances created before security groups are supported by ALB allow you to use only ACLs to regulate access.
In the following scenarios, the ALB instance can be added to a security group.
Before the ALB instance is added to a security group, the listener ports of the ALB instance allow all requests by default.
After the ALB instance is added to a security group which does not contain Deny rules, the listener ports of the ALB instance allow all requests by default. If you want to allow requests only from specific IP addresses to your ALB instance, you must also create a Deny rule.
For more information about how to allow or deny access from specific IP addresses, see Use security groups as blacklists or whitelists.
For more information about how to configure access control based on protocols and ports, see Configure access control based on listeners and ports by using security groups.
If your ALB instance has access control requirements and you want to control inbound traffic to the ALB instance, you can add the ALB instance to a security group and configure security group rules based on your business requirements.
ALB outbound traffic refers to response packets that are returned to users. To ensure service continuity, ALB security groups do not block outbound packets. You do not need to create outbound rules.
When you create a security group, we recommend that you do not add the local IP address of ALB to Deny rules whose priority is 1. Otherwise, the security group rules may conflict with the managed security groups of ALB and interrupt communication between ALB and backend servers. To view the local IP address of an ALB instance, log on to the ALB console and go to the details page of the ALB instance.
Limits
By default, security groups are unavailable. To use security groups, contact your account manager.
Category | Security group type | Description |
Security groups supported by ALB |
|
For more information about basic security groups and advanced security groups, see Basic security groups and advanced security groups. |
Security groups not supported by ALB | Managed security group | For more information about managed security groups, see Managed security groups. |
Feature comparison
Both ACLs and security groups regulate access by configuring IP address blacklists and whitelists. The following table compares the two features:
Item | ACL | Security group |
Can be configured for | Listeners. |
|
Blacklist and whitelist | You can configure either whitelists or blacklists for a listener. | You can configure both blacklists and whitelists for an instance or a listener. |
IP version | Supports IPv4 addresses. | Supports both IPv4 and IPv6 addresses. |
Limits | For ACL limits, see Limits. | For security group limits, see Limits. |
Prerequisites
An ALB instance is created and listeners are created for the ALB instance. For more information, see Create an ALB instance.
A security group is created and security group rules are added to the security group. For more information, see Create a security group and Add a security group rule.
Add the ALB instance to a security group
To allow or forbid an ALB instance to access the Internet or private networks, you can add the ALB instance to a security group.
- Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed.
On the Instances page, click the ID of the ALB instance that you want to manage.
On the instance details page, click the Security Groups tab.
On the Security Groups tab, click Create Security Group. In the Add ALB Instance to Security Group dialog box, select one or more security groups and click OK.
An ALB instance can be added to at most four security groups. To create a security group, click Create Security Group from the Security Groups drop-down list. For more information, see Create a security group.
In the left-side navigation tree, click the ID of the security that you want to use and click the Inbound Policies or Outbound Policies tab to view the security group rules.
To modify an inbound security group rule, click the security group ID in the Basic Information section, or click ECS Console in the upper-right corner of the Security Groups tab. Then, you can modify the rule on the details page. For more information about how to modify security group rules in the Elastic Compute Service (ECS) console, see Modify a security group rule.
Remove an ALB instance from a security group
If an ALB instance no longer uses a security group, you can remove the ALB instance from the security group. You can remove an ALB instance only from one security group at a time.
- Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed.
On the Instances page, click the ID of the ALB instance that you want to manage. On the Instance Details page, click the Security Groups tab.
In the left-side navigation tree, click the security group ID and then click Remove in the upper-right corner.
In the Remove message, click OK.
References
For more information about security groups, see Security groups.
For more information about how to configure access control based on protocols and ports, see Configure access control based on listeners and ports by using security groups.
For more information about how to allow or deny access from specific IP addresses, see Use security groups as blacklists or whitelists.
LoadBalancerJoinSecurityGroup: adds an ALB instance to a security group.
LoadBalancerLeaveSecurityGroup: removes an ALB instance from a security group.