All Products
Search

This Product

    Server Load Balancer:Use security groups as blacklists or whitelists

    Document Center

    Server Load Balancer:Use security groups as blacklists or whitelists

    Last Updated:Nov 20, 2024

    If you want to deny or allow requests from specific IP addresses to a Network Load Balancer (NLB) instance, you can configure a security group for the NLB instance to implement access control. NLB security groups can be used as whitelists or blacklists, which implement fine-grained access control.

    Sample scenarios

    • Before an NLB instance is added to a security group, the listener ports of the NLB instance accept all requests by default.

    • After an NLB instance is added to a security group which does not contain Deny rules, the listener ports of the NLB instance accept all requests by default. If you want to allow requests only from specific IP addresses to your NLB instance, you must also create a Deny rule.

    If your NLB instance has access control requirements and you want to control inbound traffic to the NLB instance, you can add the NLB instance to a security group and configure security group rules based on your business requirements.

    Important

    The outbound traffic of an NLB instance refers to responses returned to user requests. To ensure that your service is not affected, NLB security groups do not limit outbound traffic. You do not need to configure outbound rules for security groups.

    The following scenarios are used to demonstrate how whitelists and blacklists work. For more information, see Security group rules.

    A blacklist denies access from specific IP addresses.

    image.png

    A whitelist allows access only from specific IP addresses.

    image.png

    Limits

    Category

    Security group type

    Description

    Security groups supported by NLB

    • Basic security group

    • Advanced security group

    • The security group and the NLB instance must belong to the same virtual private cloud (VPC).

    • You can add an NLB instance to up to four security groups. The security groups to which an NLB instance is added must be of the same type.

      If an NLB instance is added to a basic security group and you want to add the instance to an advanced security group, you must remove the NLB instance from the basic security group. If an NLB instance is added to an advanced security group and you want to add the instance to a basic security group, you must remove the NLB instance from the advanced security group.

    • NLB instances created before September 30, 2022 during the public preview cannot be added to security groups. To use security groups, replace the NLB instances or purchase new NLB instances.

    For more information about basic security groups and advanced security groups, see Basic security groups and advanced security groups.

    Security groups not supported by NLB

    Managed security group

    For more information about managed security groups, see Managed security groups.

    Prerequisites

    Four Elastic Compute Service (ECS) instances are created. For more information about how to create an ECS instance, see Purchase an ECS instance.

    • ECS01 and ECS02 function as backend servers of the NLB instance. Applications are deployed on ECS01 and ECS02.

      The following sample commands are used to deploy test applications on ECS01 and ECS02:

      Commands for deploying an application on ECS01

      yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World ! This is ECS01." > index.html

      Commands for deploying an application on ECS02

      yum install -y nginx
systemctl start nginx.service
cd /usr/share/nginx/html/
echo "Hello World ! This is ECS02." > index.html

    • ECS03 and ECS04 are Internet-facing instances used to access the NLB instance. You can also use an existing Linux server to access the NLB instance. In this case, you do not need to create ECS03 and ECS04.

    • A domain name is registered, an Internet content provider (ICP) number is obtained for the domain name, and a CNAME record is created to map the custom domain name to the domain name of your NLB instance. For more information, see Register a generic domain nameRegister a domain name on Alibaba Cloud, ICP filing process, and Step 4: Create a DNS record.

      The following table describes the configurations of the ECS instances used in this topic.

      Instance

      ECS configuration

      VPC

      IP address

      Procedure

      ECS01

      • Instance type: ecs.u1-c1m1.large

      • CPUs and memory: 2 vCPUs and 2 GiB of memory

      • Operating system: Alibaba Cloud Linux 3.2104 LTS 64-bit

      • Network type: VPC

      VPC01

      • Private: 192.168.0.24

      • Public: not assigned

      The instances are specified as the backend servers of the NLB instance.

      ECS02

      • Private: 192.168.0.37

      • Public: not assigned

      ECS03

      VPC02

      • Private: 192.168.0.25

      • Public: 47.XX.XX.55

      The instances are used as clients to access the NLB instance.

      ECS04

      • Private: 192.168.0.26

      • Public: 101.XX.XX.251

    Step 1: Create a server group

    1. Log on to the NLB console.

    2. In the top navigation bar, select the region where you want to create a server group. In this example, China (Hangzhou) is selected.

    3. In the left-side navigation pane, choose NLB > Server Group.

    1. On the Server Groups page, click Create Server Group.

    2. In the Create Server Group dialog box, set the following parameters and click Create.

      The following table describes the key parameters for creating a server group. Use the default values for other parameters. For more information, see Create a server group.

      Parameter

      Description

      Server Group Type

      Specify a type of server group. In this example, Server is selected.

      Server Group Name

      Enter a name for the server group. In this example, RS01 is used.

      VPC

      Select a VPC from the drop-down list. In this example, VPC1 is selected. The server group must reside in the same VPC as ECS01 and ECS02.

      Backend Server Protocol

      Select a backend protocol. In this example, TCP is selected.

    1. In the Server group created dialog box, click Add Backend Server.

    2. On the Backend Servers tab, click Add Backend Server.

    3. In the Add Backend Server panel, select ECS01 and ECS02 and click Next.

    4. Specify ports and weights for the backend servers and click OK. In this example, port 80 is specified and the default weight is used.

    Step 2: Create an NLB instance and configure listeners

    1. In the left-side navigation pane, choose NLB > Instances. On the Instances page, click Create NLB.

    2. On the NLB (Pay-As-You-Go) page, set the following parameters.

      The following table describes only some of the parameters. For more information about other parameters, see Create an NLB instance.

      • Region: In this example, China (Hangzhou) is selected.

      • Network Type: In this example, Internet is selected.

      • VPC: In this example, VPC01 is selected.

    3. Click Buy Now and complete the payment.

    4. Return to the Instances page, find the NLB instance that you created, and click the ID of the NLB instance.

    5. Click the Listener tab. On the Listener tab, click Quick Create Listener. In the Quick Create Listener dialog box, set the following parameters to create a TCP listener that uses port 80 and click OK.

      Parameter

      Procedure

      Listener Protocol

      Select a listener protocol. In this example, TCP is selected.

      Listener Port

      In this example, port 80 is used.

      Server Group

      Select Server Type and select a server group from the drop-down list next to Server Type.

      In this example, the server group created in Step 1: Create a server group is selected.

    6. Check the accessibility of the NLB instance when the NLB instance is not added to a security group. The command curl -s http://whatismyip.akamai.com/ can be used to query the public IP address of the client which sends the request.

      1. Log on to ECS03. Run the following command to test whether ECS03 can access the NLB instance: telnet Domain name 80.

        If you receive echo reply packets as shown in the following figure, ECS03 can access the NLB instance.image.png

      2. Log on to ECS04. Run the following command to test whether ECS04 can access the NLB instance: telnet Domain name 80.

        If you receive echo reply packets as shown in the following figure, ECS04 can access the NLB instance.image.png

      The results show that before the NLB instance is added to a security group, ECS03 and ECS04 can access the NLB instance.

    Step 3: Create a security group

    Before you add your NLB instance to a security group, you must create a security group in the ECS console. This section describes how to create two security groups.

    • Security Group 1 as a blacklist

      Add a Deny rule that denies access from specified IP addresses. In this example, a Deny rule that denies access from the public IP address 47.XX.XX.55 of ECS03 is created. You can keep the default security group rule. The following table describes the configurations of the rule.

      Policy

      Priority

      Protocol

      Port range

      Authorization object

      Deny

      1

      All

      Destination: -1/-1

      Source: 47.XX.XX.55

    • Security Group 2 as a whitelist

      Add an Allow rule that allows access from specific IP addresses and a Deny rule that denies access from specific IP addresses. In this example, an Allow rule that allows access from the public IP address 47.XX.XX.55 of ECS03, and a Deny rule are created. The following table describes the configurations of the rules.

      Policy

      Priority

      Protocol

      Port range

      Authorization object

      Yes

      1

      All

      Destination: -1/-1

      Source: 47.XX.XX.55

      Deny

      100

      All

      Destination: -1/-1

      Source: 0.0.0.0/0

    1. Log on to the ECS console.

    2. In the left-side navigation pane, choose Network & Security > Security Groups.

    3. In the top navigation bar, select the region where you want to create a security group. In this example, China (Hangzhou) is selected.

    4. On the Security Groups page, click Create Security Group.

    5. On the Create Security Group page, set the parameters in the Basic Information section.

      Specify the following parameters. For more information about other parameters, see Create a security group.

      • Network: In this example, VPC 1 is selected. The security group must reside in the same VPC as the NLB instance.

      • Security Group Type: In this example, Basic Security Group is selected.

    6. On the Create Security Group page, set the parameters in the Access Rule section.

      1. On the Inbound tab, click Add Rule to add rules based on the configurations of the rules in Security Group 1 and Security Group 2.

      2. Click Create Security Group.

    Step 4: Add the NLB instance to the security group and verify the result

    Use Security Group 1 as a blacklist

    Add the NLB instance to Security Group 1 created in Step 3, and test whether the rule in Security Group 1 takes effect on the NLB instance.

    1. Log on to the NLB console.

    2. In the top navigation bar, select the region where the NLB instance is deployed. In this example, China (Hangzhou) is selected.

    3. Click Instances under NLB. On the page that appears, find the NLB instance created in Step 2: Create an NLB instance and configure listeners and click the instance ID. On the instance details page, click the Security Groups tab.

    4. On the Security Groups tab, click Create Security Group. In the Add NLB Instance to Security Group dialog box, select the security group created in Step 3 and click OK.

    5. In the left-side panel, click the ID of the security group that you want to manage. You can click the Inbound Policies or Outbound Policies tab to view the security group rules.

      The following table describes the parameters that are relevant to this topic.

      Policy

      Priority

      Protocol

      Port range

      Authorization object

      Deny

      1

      All

      Destination: -1/-1

      Source: 47.XX.XX.55

    6. Test whether access to the NLB instance in the security group is denied. The command curl -s http://whatismyip.akamai.com can be used to query the public IP address of the client which sends requests.

      1. Log on to ECS03. Run the following command to test whether ECS03 can access the NLB instance: telnet Domain name 80.

        If you receive echo reply packets as shown in the following figure, ECS04 failed to access the NLB instance.image.png

      2. Log on to ECS04. Run the following command to test whether ECS04 can access the NLB instance: telnet Domain name 80.

        If you receive echo reply packets as shown in the following figure, ECS04 can access the NLB instance.image.png

      The results show that after the NLB instance is added to Security Group 1, IP addresses specified in the Deny rule can no longer access the NLB instance. IP address not specified in the Deny rule can access the NLB instance.

    Use Security Group 2 as a whitelist

    Add the NLB instance to Security Group 2 created in Step 3, and test whether the rules in Security Group 2 take effect on the NLB instance.

    1. Log on to the NLB console.

    2. In the top navigation bar, select the region where the NLB instance is deployed. In this example, China (Hangzhou) is selected.

    3. Click Instances under NLB. On the page that appears, find the NLB instance created in Step 2: Create an NLB instance and configure listeners and click the instance ID. On the instance details page, click the Security Groups tab.

    4. On the Security Groups tab, click Create Security Group. In the Add NLB Instance to Security Group dialog box, select Security Group 2 created in Step 3 and click OK.

    5. In the left-side panel, click the ID of the security group that you want to manage. You can click the Inbound Policies or Outbound Policies tab to view the security group rules.

      Policy

      Priority

      Protocol

      Port range

      Authorization object

      Yes

      1

      All

      Destination: -1/-1

      Source: 47.XX.XX.55

      Deny

      100

      All

      Destination: -1/-1

      Source: 0.0.0.0/0

    6. Test whether access to the NLB instance in the security group is denied. The command curl -s http://whatismyip.akamai.com can be used to query the public IP address of the client which sends requests.

      1. Log on to ECS03. Run the following command to test whether ECS03 can access the NLB instance: telnet Domain name 80.

        If you receive echo reply packets as shown in the following figure, ECS04 can access the NLB instance.image.png

      2. Log on to ECS04. Run the command to test whether ECS04 can access the NLB instance: telnet Domain name 80.

        If you receive echo reply packets as shown in the following figure, ECS04 failed to access the NLB instance.image.png

      The results show that after the NLB instance is added to Security Group 2, only IP addresses specified in the Allow rules of Security Group 2 can access the NLB instance.

    References