Help Center> Elastic Load Balance> User Guide> Backend Server> Configuring Security Group Rules for Backend Servers (Shared Load Balancers)
View PDF

Configuring Security Group Rules for Backend Servers (Shared Load Balancers)

Scenarios

Before you add servers to a backend server group, ensure that their security groups have inbound rules that allow traffic from 100.125.0.0/16, and specify the health check protocol and port. Otherwise, health checks will be affected, and backend servers cannot receive requests from the load balancer. If UDP is used for health checks, inbound security group rules must allow the ICMP traffic in addition to allowing access from 100.125.0.0/16.

If you have no VPCs when creating a server, the system automatically creates one for you. Default security group rules allow only communications among the servers in the VPC. To ensure that the load balancer can communicate with these servers over both the frontend port and health check port, configure inbound rules for security groups containing these servers.

Procedure

  1. Log in to the management console.
  2. In the upper left corner of the page, click and select the desired region and project.
  3. Under Computing, click Elastic Cloud Server.
  4. In the ECS list, locate the ECS and click its name.

    The ECS details page is displayed.

  5. Click Security Groups, locate the security group, and view security group rules.
  6. Click the security group rule ID or Modify Security Group Rule in the right corner.

    The security group details page is displayed.

  7. Under Inbound Rules, click Add Rule.

    TCP, HTTP, or HTTPS listeners:

    • If the health check port is different from the ports of backend servers, the inbound rules must allow TCP traffic from the health check port and backend server ports.
    • If you do not specify a health check port, the inbound rules must allow TCP traffic from the ports of backend servers.
    • In addition, the inbound rules must allow access from 100.125.0.0/16. Otherwise, health checks may fail.

    UDP listeners:

    • If the health check port is different from the ports of backend servers, the inbound rules must allow UDP traffic from the health check port and backend server ports.
    • If you do not specify a health check port, the inbound rules must allow UDP traffic from the ports of backend servers.
    • The inbound rules must allow access from 100.125.0.0/16. Otherwise, health checks may fail.
    • The inbound rules must allow ICMP traffic.

    Classic load balancers that work in a private network:

    • If the health check port is different from the ports of backend servers, the inbound rules must allow TCP traffic from the health check port and backend server ports.
    • If you do not specify a health check port, the inbound rules must allow TCP traffic from the ports of backend servers.
    • The inbound rules must allow access from the VPC CIDR block.
  8. Click OK.

Network ACL Rule

A network ACL is an optional subnet-class security configuration. You can associate one or more subnets with a network ACL for controlling traffic in and out of the subnets. Similar to security groups, network ACLs provide access control functions, but add an additional layer of defense to your VPC. Default network ACL rules reject all inbound and outbound traffic. If a network ACL resides in the same subnet as the load balancer or its associated backend servers, the load balancer cannot receive traffic from the public or private network, or backend servers become unhealthy.

You can configure an inbound network ACL rule to permit access from 100.125.0.0/16.

ELB translates public IP addresses that access backend servers into IP addresses in 100.125.0.0/16. Therefore, you cannot configure network ACL rules to prevent public IP addresses from accessing backend servers.

ACL rules configured for the subnet where the load balancer works will not affect the traffic from the clients to the load balancer. Clients can directly access the load balancer. To control access to load balancer, configure access control for all listeners added to the load balancer.

For details, see Access Control.

  1. Log in to the management console.
  2. In the upper left corner of the page, click and select the desired region and project.
  3. Under Network, click Virtual Private Cloud.
  4. In the navigation pane on the left, choose Access Control > Network ACLs.
  5. Locate the network ACL, and click the network ACL name to switch to the network ACL details page.
  6. On the Inbound Rules or Outbound Rules tab page, click Add Rule to add an inbound or outbound rule.
    • Action: Select Allow.
    • Protocol: The protocol must be the same as the frontend protocol set when the listener is added.
    • Source: Set the value to 100.125.0.0/16.
    • Source Port Range: Select the port range of the service.
    • Destination: Enter default value 0.0.0.0/0, which indicates that traffic from all IP addresses is permitted.
    • Destination Port Range: Select the port range of the service.
    • Description: provides supplementary information about the network ACL rule. This parameter is optional.
  7. Click OK.
Parent topic: Backend Server