Security Group and Network ACL Rules

Constraints

• If health check is enabled for a backend server group, security group rules must allow traffic over the health check port and protocol.
• If UDP is used for health check, there must be a rule that allows ICMP traffic. If there is no such rule, the health of the backend servers cannot be checked.

Configuring Security Group Rules

If you have no VPCs when creating a server, the system automatically creates one for you. Default security group rules allow instances in the security group to communicate with each other but block access from external networks. To ensure that the load balancer can communicate with associated backend servers over both the frontend and health check ports, configure inbound rules for the security group containing these servers.

1. Log in to the management console.
2. In the upper left corner of the page, click and select the desired region and project.
3. Under Compute, click Elastic Cloud Server.
4. In the ECS list, click the name of the target ECS.

   The page providing the details about the ECS is displayed.

5. Click the Security Groups tab, locate the security group, click its name, and view security group rules.
6. Click the ID of a security group rule or Modify Security Group Rule. The security group details page is displayed.
7. On the Inbound Rules tab, click Add Rule. Configure inbound rules based on Table 1.

   Table 1 Security group rules

   Backend Protocol	Action	Protocol & Port	Source IP Address
   HTTP	Allow	Protocol: TCP Port: the port used by the backend server and health check port	100.125.0.0/16
   TCP	Allow	Protocol: TCP Port: health check port	100.125.0.0/16
   UDP	Allow	Protocol: UDP and ICMP Port: health check port	100.125.0.0/16

8. Click OK.

Configuring Network ACL Rules

To control traffic in and out of a subnet, you can associate a network ACL with the subnet. Network ACL rules control access to subnets and add an additional layer of defense to your subnets. Default network ACL rules reject all inbound and outbound traffic. If the subnet of a load balancer or associated backend servers has a network ACL associated, the load balancer cannot receive traffic from the Internet or route traffic to backend servers, and backend servers cannot receive traffic from and respond to the load balancer.

Configure an inbound network ACL rule to allow access from 100.125.0.0/16.

ELB translates the public IP addresses into private IP addresses in 100.125.0.0/16 before forwarding traffic to backend servers. So public IP addresses cannot be configured as the source for a network ACL rule to prevent public IP addresses from accessing backend servers.

Network ACL rules configured for the backend subnet of the load balancer will not restrict the traffic from the clients to the load balancer. If these rules are configured, the clients can directly access the load balancer. To control access to the load balancer, configure access control for all listeners added to the load balancer. For details, see What Is Access Control?

1. Log in to the management console.
2. In the upper left corner of the page, click and select the desired region and project.
3. Click in the upper left corner to display Service List and choose Networking > Virtual Private Cloud.
4. In the navigation pane on the left, choose Access Control > Network ACLs.
5. In the network ACL list, locate the target network ACL and click its name.
6. On the Inbound Rules or Outbound Rules tab, click Add Rule to add an inbound or outbound rule.
   • Action: Select Allow.
   • Protocol: The protocol must be the same as the backend protocol.
   • Source: Set it to 100.125.0.0/16.
   • Source Port Range: Select a port range.
   • Destination: Enter a destination address allowed in this direction. The default value is 0.0.0.0/0, which indicates that traffic to all IP addresses is permitted.
   • Destination Port Range: Select a port range.
   • (Optional) Description: Describe the network ACL rule if necessary.
7. Click OK.