Updated on 2024-03-19 GMT+08:00

Security Group Rules

To ensure normal communications between the load balancer and backend servers, you need to check the security group rules and network ACL rules configured for the backend servers.

When backend servers receive requests from the load balancer, source IP addresses are translated into those in 100.125.0.0/16.

  • Security group rules must allow traffic from the 100.125.0.0/16 to backend servers. For details about how to configure security group rules, see Configuring Security Group Rules.
  • Network ACL rules are optional for subnets. If network ACL rules are configured for the backend subnet of the load balancer, the network ACL rules must allow traffic from the backend subnet of the load balancer to the backend servers. For details about how to configure these rules, see Configuring Network ACL Rules.

If Transfer Client IP Address is enabled for the TCP or UDP listeners, network ACL rules and security group rules will not take effect. You can use access control to limit which IP addresses are allowed to access the listener. Learn how to configure access control.

Constraints and Limitations

  • If health check is enabled for a backend server group, security group rules must allow traffic from the health check port over the health check protocol.
  • If UDP is used for health check, there must be a rule that allows ICMP traffic. If there is no such rule, the health of the backend servers cannot be checked.

Configuring Security Group Rules

If you have no VPCs when creating a server, the system automatically creates one for you. Default security group rules allow only communications among the servers in the VPC. To ensure that the load balancer can communicate with these servers over both the frontend port and health check port, configure inbound rules for security groups containing these servers.

  1. Log in to the management console.
  2. In the upper left corner of the page, click and select the desired region and project.
  3. Under Compute, click Elastic Cloud Server.
  4. On the Elastic Cloud Server page, click the name of the ECS that has been added to a backend server group.

    The page providing details about the ECS is displayed.

  5. Click Security Groups, locate the security group, and view security group rules.
  6. Click the ID of a security group rule or Modify Security Group Rule. The security group details page is displayed.
  7. On the Inbound Rules tab page, click Add Rule. Configure an inbound rule based on Table 1.
    Table 1 Security group rules

    Backend Protocol

    Policy

    Protocol & Port

    Source IP Address

    HTTP

    Allow

    Protocol: TCP

    Port: the port used by the backend server and health check port

    100.125.0.0/16

    TCP

    Allow

    Protocol: TCP

    Port: health check port

    100.125.0.0/16

    UDP

    Allow

    Protocol: UDP and ICMP

    Port: health check port

    100.125.0.0/16

  8. Click OK.

Configuring Network ACL Rules

To control traffic in and out of a subnet, you can associate a network ACL with the subnet. Network ACL rules control access to subnets and add an additional layer of defense to your subnets. Default network ACL rules reject all inbound and outbound traffic. If the subnet of a load balancer or associated backend servers has a network ACL associated, the load balancer cannot receive traffic from the Internet or route traffic to backend servers, and backend servers cannot receive traffic from and respond to the load balancer.

Configure an inbound network ACL rule to permit access from 100.125.0.0/16.

ELB translates the public IP addresses used to access backend servers into private IP addresses in 100.125.0.0/16. You cannot configure rules to prevent public IP addresses from accessing backend servers.

Network ACL rules configured for the backend subnet of the load balancer will not restrict the traffic from the clients to the load balancer. If these rules are configured, the clients can directly access the load balancer. To control access to the load balancer, configure access control for all listeners added to the load balancer

For details, see Access Control.

  1. Log in to the management console.
  2. In the upper left corner of the page, click and select the desired region and project.
  3. Hover on in the upper left corner to display Service List and choose Networking > Virtual Private Cloud.
  4. In the navigation pane on the left, choose Access Control > Network ACLs.
  5. In the network ACL list, click the name of the network ACL to switch to the page showing its details.
  6. On the Inbound Rules or Outbound Rules tab page, click Add Rule to add an inbound or outbound rule.
    • Action: Select Allow.
    • Protocol: The protocol must be the same as the backend protocol.
    • Source: Set it to 100.125.0.0/16.
    • Source Port Range: Select a port range.
    • Destination: Enter a destination address allowed in this direction. The default value is 0.0.0.0/0, which indicates that traffic from all IP addresses is permitted.
    • Destination Port Range: Select a port range.
    • (Optional) Description: Describe the network ACL rule.
  7. Click OK.