Use security groups to implement fine-grained access control based on listeners and ports - Server Load Balancer

To regulate access from requests, you can configure a security group to implement access control based on protocols, ports, and IP addresses. Instead of access control lists (ACLs) that are used by Classic Load Balancer (CLB), Network Load Balancer (NLB) uses finer-grained access control based on protocols and ports. This topic describes how to configure a security group for an NLB instance to implement access control based on listeners and ports.

Scenarios

Before an NLB instance is added to a security group, the listener ports of the NLB instance accept all requests by default.
After an NLB instance is added to a security group which does not contain Deny rules, the listener ports of the NLB instance accept all requests by default. If you want to allow requests only from specific IP addresses to your NLB instance, you must also create a Deny rule.

If your NLB instance has access control requirements and you want to control inbound traffic to the NLB instance, you can add the NLB instance to a security group and configure security group rules based on your business requirements.

Important

The outbound traffic of an NLB instance refers to responses returned to user requests. To ensure that your service is not affected, NLB security groups do not limit outbound traffic. You do not need to configure outbound rules for security groups.

The following table describes how to configure a security group for an NLB in different scenarios. In the following examples, access control is based on protocols and ports. A TCP listener which listens on port 80 and a TCP listener which listens on port 81 are used.

No.	Security group rule	Expected result	References
Scenario 1: The NLB instance is not added to a security group.	The listener ports of the NLB accept all requests by default.	In this example, a TCP listener which listens on port 80 and a TCP listener which listens on port 81 are created for the NLB instance. Allow requests to the TCP listener which listens on port 80 of the NLB instance. Allow requests to the TCP listener which listens on port 81 of the NLB instance.	Step 2: Create an NLB instance and configure listeners
Scenario 2: The NLB instance is added to a security group.	TCP port 81 rejects requests. Note The following table describes only the security group rules that are relevant to this topic. Other default rules are not included.	Allow requests to the TCP listener which listens on port 80 of the NLB instance. Reject requests to the TCP listener which listens on port 81 of the NLB instance.	Step 4: Add the NLB instance to the security group and verify the result
Scenario 3: The security group to which the NLB instance is added is modified.	TCP port 80 rejects requests. TCP port 81 rejects requests. Note The following table describes only the security group rules that are relevant to this topic. Other default rules are not included.	The TCP listener that uses port 80 rejects requests. The TCP listener that uses port 81 rejects requests.	Step 5: Modify the security group and verify the result

Limits

Item

Security group type

Description

Security groups supported by NLB

Common security group
Enterprise security group

The security group and the NLB instance must belong to the same virtual private cloud (VPC).
You can add an NLB instance to up to four security groups. The security groups to which an NLB instance is added must be of the same type.
If an NLB instance is added to a basic security group and you want to add the instance to an advanced security group, you must remove the NLB instance from the basic security group. If an NLB instance is added to an advanced security group and you want to add the instance to a basic security group, you must remove the NLB instance from the advanced security group.
NLB instances created before September 30, 2022 during the public preview cannot be added to security groups. To use security groups, replace the NLB instances or purchase new NLB instances.

For more information about basic security groups and advanced security groups, see Basic security groups and advanced security groups.

Security groups not supported by NLB

Managed security group

For more information about managed security groups, see Managed security groups.

Prerequisites

A virtual private cloud (VPC) is created. VPC1 is used in this example. For more information, see Create and manage a VPC.
Two Elastic Compute Service (ECS) instances are deployed in VPC1. ECS01 and ECS02 function as backend servers for the NLB instance. Applications are deployed on ECS01 and ECS02.
- For more information about how to create an ECS instance, see Create an instance by using the wizard.
- The following code blocks show how to deploy applications on ECS01 and ECS02.
  Commands for deploying an application on ECS01
```
yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World ! This is ECS01." > index.html
```
  Commands for deploying an application on ECS02
```
yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World ! This is ECS02." > index.html
```
A domain name is registered, an Internet content provider (ICP) number is obtained for the domain name, and a CNAME record is created to map the domain name to the domain name of your NLB instance. For more information, see Register a generic domain name, ICP filing process, and Step 4: Create a DNS record.

Step 1: Create a server group

Log on to the NLB console.
In the top navigation bar, select the region where the server group is deployed. In this example, China (Hangzhou) is selected.
In the left-side navigation pane, choose NLB > Server Group.
On the Server Groups page, click Create Server Group.

In the Create Server Group dialog box, set the parameters and click Create.

The following table describes the parameters that are relevant to this topic. You can use the default values for the other parameters. For more information, see Create a server group.

Parameter	Description
Server Group Type	Specify a type of server group. In this example, Server Type is selected.
Server Group Name	The name of the server group. In this example, `RS01` is used.
VPC	Select a VPC from the drop-down list. In this example, VPC1 is selected.
Backend Server Protocol	Select a backend protocol. In this example, TCP is selected.
Scheduling Algorithm	Select a scheduling algorithm. In this example, Weighted Round-robin is selected.

In the Server group created. dialog box, click Add Backend Server.
On the Backend Servers tab, click Add Backend Server.
In the Add Backend Server panel, select ECS01 and ECS02 and click Next.
Set the ports and weights of the added servers and click OK.

Step 2: Create an NLB instance and configure listeners

Log on to the NLB console.
In the top navigation bar, select the region in which the NLB instance is deployed. In this example, China (Hangzhou) is selected.
On the Instances page, click Create NLB.
On the NLB (Pay-As-You-Go) page, configure the following parameters.
The following section describes only the parameters that are relevant to this topic. For more information about other parameters, see Create an NLB instance.
- Region: In this example, China (Hangzhou) is selected.
- Network Type: In this example, Intranet is selected.
- VPC: In this example, VPC1 is selected.
Click Buy Now and complete the payment.
Return to the Instances page, find the NLB instance that you want to manage, and then click the ID of the NLB instance.

Click the Listener tab. On the Listener tab, click Quick Create Listener. In the Quick Create Listener dialog box, configure the parameters to create a TCP listener which listens on port 80, and click OK.

Parameter	Description
Listener Protocol	Select a listener protocol. In this example, TCP is selected.
Listener Port	Enter a listener port. In this example, port `80` is specified.
Server Group	Select Server Type and select a server group from the drop-down list next to Server Type. In this example, the server group RS01 created in Step 1 is selected.

On the Listener tab, click Quick Create Listener. In the Quick Create Listener dialog box, set the following parameters to create a TCP listener which listens on port 81, and click OK.

Parameter	Description
Listener Protocol	Select a listener protocol. In this example, TCP is selected.
Listener Port	Enter a listener port. In this example, port `81` is specified.
Server Group	Set the Server Type parameter and select a server group based on the specified server type. In this example, the server group RS01 created in Step 1 is selected.

Check the accessibility of the NLB instance before the NLB instance is added to a security group.
1. Log on to a Linux client that has Internet access. If you use CentOS and telnet is not installed, run the yum install -y telnet command to install telnet.
2. Run the telnet Domain name 80 command to test whether the client can access port 80 (TCP port) of the NLB instance.
  The following response packet indicates that the port is accessible.
```
Trying *.*.*.*...
Connected to www.example.com.
Escape character is '^]'.
```
  Access the domain name and port from a browser, such as http://Domain name:80. The response in the following figure indicates that the NLB instance can forward requests to backend servers.
3. Run the telnet Domain name 81 command to test whether the client can access port 81 (TCP port) of the NLB instance.
```
Trying *.*.*.*...
Connected to www.example.com.
Escape character is '^]'.
```
  Access the domain name and port from a browser, such as http://Domain name:81. The response in the following figure indicates that the NLB instance can forward requests to backend servers.
4. The tests show that before the NLB instance is added to a security group, the client can access port 80 and port 81 of the NLB instance.

Step 3: Create a security group

To add the NLB instance to a security group, you need to first create a security group in the ECS console.

Log on to the ECS console.
In the left-side navigation pane, choose Network & Security > Security Groups.
In the top navigation bar, select the region where you want to create a security group. In this example, China (Hangzhou) is selected.
On the Security Groups page, click Create Security Group.
On the Create Security Group page, set the parameters in the Basic Information section.
The following section describes only the parameters that are relevant to this topic. For more information about other parameters, see Create a security group.
- Network: In this example, VPC1 is selected.
- Security Group Type: In this example, Basic Security Group is selected.

On the Create Security Group page, set the parameters in the Access Rule section.

On the Inbound tab, click Add Rule.

Create a security group rule.

Parameter	Description
Action	Select Deny.
Priority	The default value 1 is used.
Protocol Type	Select Custom TCP.
Port Range	Enter the port number `81`.
Authorization Object	Select `0.0.0.0/0`.
Description	Enter a description for the security group rule.

Click Create Security Group.

Step 4: Add the NLB instance to the security group and check the result

Add the NLB instance to the security group created in Step 3 and check whether the security group rules take effect on the NLB instance.

Log on to the NLB console.
In the top navigation bar, select the region in which the NLB instance is deployed. In this example, China (Hangzhou) is selected.
In the left-side navigation pane, choose NLB > Instances. Find the NLB instance created in Step 2 and click the ID. On the instance details page, click the Security Groups tab.
On the Security Groups tab, click Create Security Group. In the Add NLB Instance to Security Group dialog box, select the security group created in Step 3 and click OK.
In the left-side navigation pane, click the ID of the security group that you want to manage. You can click the Inbound Policies or Outbound Policies tab to view the security group rules.
The following table describes only the inbound rules that are relevant to this topic. The following table describes the configurations of the security group rule created for the NLB instance.
Policy
Priority
Protocol Type
Port range
Authorization Object
Allow
1
Custom TCP
Destination: 80/80
Source: 0.0.0.0/0
Deny
1
Custom TCP
Destination: 81/81
Source: 0.0.0.0/0
Add the NLB instance to the security group and check the result.
1. Log on to a Linux client that has Internet access.
2. Run the telnet Domain name 80 command to test whether the client can access port 80 (TCP port) of the NLB instance.
  The following response packet indicates that the port is accessible.
```
Trying *.*.*.*...
Connected to www.example.com.
Escape character is '^]'.
```
  Access the domain name and port from a browser, such as http://Domain name:80. The response in the following figure indicates that the NLB instance can forward requests to backend servers.
3. Run the telnet Domain name 81 command to test whether the client can access port 81 (TCP port) of the NLB instance.
  The following response packet indicates that the client cannot access port 81 of the NLB instance. The result shows that the security group rules configured for the NLB instance take effect on the NLB instance.
```
Trying *.*.*.*...
telnet: connect to address *.*.*.*: Connection timed out
Trying *.*.*.*...
telnet: connect to address *.*.*.*: Connection timed out
```
  Access the domain name and port from a browser, such as http://Domain name:81. The webpage is inaccessible. The client cannot access port 81 of the NLB instance. The result shows that the security group rules configured for the NLB instance take effect on the NLB instance.

Step 5: Modify the security group rules and check the result

Modify the security group rules and check whether access to the NLB instance is allowed or denied.

Return to the NLB > Instances page, find the NLB instance created in Step 2, and then click the ID. On the instance details page, click the Security Groups tab.
Click the ID of the security group in the Basic Information section, or click ECS Console in the upper-right corner of the Security Groups tab. Then, you can modify the security group rules on the Security Group Rules tab.
On the Security Group Rules tab, find the security group rule which allows access to port 80. Click Modify in the Actions column and set Action to Deny.
The following table describes only the security group rules that are relevant to this topic. The following table describes the new security group rules.
Policy
Priority
Protocol Type
Port range
Authorization Object
Deny
1
Custom TCP
Destination: 80/80
Source: 0.0.0.0/0
Deny
1
Custom TCP
Destination: 81/81
Source: 0.0.0.0/0
Test whether access to the NLB instance is denied after the security group rule is modified.
1. Log on to a Linux client that has Internet access.
2. Run the telnet Domain name 80 command to test whether the client can access port 80 (TCP port) of the NLB instance.
  The following response packet indicates that the client cannot access port 80 of the NLB instance. The result shows that the new security group rules take effect on the NLB instance.
```
Trying *.*.*.*...
telnet: connect to address *.*.*.*: Connection timed out
Trying *.*.*.*...
telnet: connect to address *.*.*.*: Connection timed out
```
  Access the domain name and port from a browser, such as http://Domain name:80. The webpage is inaccessible. The client cannot access port 80 of the NLB instance. The result shows that the new security group rules configured for the NLB instance take effect on the NLB instance.
3. Run the telnet Domain name 81 command to test whether the client can access port 81 (TCP port) of the NLB instance.
  The following response packet indicates that the client cannot access port 81 of the NLB instance. The result shows that the new security group rules take effect on the NLB instance.
```
Trying *.*.*.*...
telnet: connect to address *.*.*.*: Connection timed out
Trying *.*.*.*...
telnet: connect to address *.*.*.*: Connection timed out
```
  Access the domain name and port from a browser, such as http://Domain name:81. The webpage is inaccessible. The client cannot access port 81 of the NLB instance. The result shows that the new security group rules configured for the NLB instance take effect on the NLB instance.

References

For more information about how to add an NLB instance to and remove an NLB instance from a security group, see Add an NLB instance to a security group.
For more information about how to allow or deny access for specific IP addresses, see Use security groups as blacklists or whitelists.
For more information about security groups, see Security groups.
LoadBalancerJoinSecurityGroup: adds an NLB instance to a security group.
LoadBalancerLeaveSecurityGroup: removes an NLB instance from a security group.

Policy	Priority	Protocol Type	Port range	Authorization Object
Allow	1	Custom TCP	`Destination: 80/80`	`Source: 0.0.0.0/0`
Deny	1	Custom TCP	`Destination: 81/81`	`Source: 0.0.0.0/0`