All Products
Search
Document Center

Server Load Balancer:Work with the access control feature of SLB

Last Updated:Aug 02, 2023

To ensure the security of your resources, you can use access control policies to regulate access to your resources and allow only authorized users to access your resources. This topic describes the access control feature of Server Load Balancer (SLB).

Overview

The following types of access control policies are supported by SLB:

  • ACL

    You can configure access control lists (ACLs) for listeners of Application Load Balancer (ALB) and Classic Load Balancer (CLB). You can create inbound rules to allow or deny requests from clients in a fine-grained manner. You can configure whitelists or blacklists for different listeners.

    For more information, see Access control for ALB and Access control for CLB.

  • Security group

    A security group is used as a virtual firewall to manage inbound traffic and outbound traffic and improve resource security. Security groups provide Stateful Packet Inspection (SPI) and packet filtering capabilities.

    You can add Network Load Balancer (NLB) instances to security groups. If your NLB instance has access control requirements and you want to control inbound traffic to the NLB instance, you can add the NLB instance to a security group and configure security group rules based on your business requirements.

ACL

For ALB and CLB instances, you can configure whitelists or blacklists for different listeners:

  • A whitelist is used for scenarios in which you want to allow access only from specific IP addresses or CIDR blocks.

    Your service may be adversely affected if the whitelist is not properly configured. If a whitelist is configured for a listener, only requests from IP addresses that are added to the whitelist are forwarded by the listener. If you enable a whitelist but do not add an IP address to the whitelist, the listener forwards all requests.

  • A blacklist is used for scenarios in which you want to deny access from specific IP addresses or CIDR blocks.

    If a blacklist is configured for a listener but no IP addresses are added to the blacklist, the listener forwards all requests.

Security group

If an NLB instance is not added to a security group, all requests are allowed on the listening port of the NLB instance by default.

If your NLB instance has access control requirements and you want to control the inbound traffic of the NLB instance, you can add the NLB instance to a security group and configure security group rules based on your business requirements.
Important The outbound traffic of an NLB instance is the return packets of user requests. To ensure that your service is not affected, NLB security groups do not impose limits on outbound traffic. You do not need to configure outbound rules for security groups.

For more information about how to add an NLB instance to a security group, see the following topics: