Security Group and Network ACL Rules

Scenarios

To ensure normal communications between the load balancer and backend servers, you need to check the security group and network ACL rules.

• Security group rules of backend servers must allow traffic from the backend subnet where the load balancer is created to the backend servers. (By default, the backend subnet of a load balancer is the same as the subnet where the load balancer works.) For details about how to configure security group rules, see Configuring Security Group Rules.

• Network ACL rules are optional for subnets. If network ACL rules are configured for the subnet where the backend servers are deployed, the rules must allow traffic from the backend subnet of the load balancer to the subnet of the backend servers. For details about how to configure network ACL rules, see Configuring Network ACL Rules.

If a dedicated load balancer has Layer 4 listeners and IP as a backend is disabled, security group and network ACL rules will be ignored even you have configured rules to allow traffic.

You can use access control to limit which IP addresses are allowed or denied to access the listener. For details, see What Is Access Control?

Constraints

• If health check is enabled for a backend server group, security group rules must allow traffic over the health check port and protocol.
• If UDP is used for health check, there must be a rule that allows ICMP traffic to check the health of the backend servers.

Configuring Security Group Rules

If you have no VPCs when creating a server, the system automatically creates one for you. Default security group rules allow instances in the security group to communicate with each other but block access from external networks. To ensure that the load balancer can communicate with associated backend servers over both the frontend and health check ports, configure inbound rules for the security group containing these servers.

1. Log in to the management console.
2. In the upper left corner of the page, click and select the desired region and project.
3. Click in the upper left corner to display Service List and choose Compute > Elastic Cloud Server.
4. In the ECS list, click the name of the target ECS.

   The ECS details page is displayed.

5. Click the Security Groups tab, locate the security group, click its name, and view security group rules.
6. Click the ID of a security group rule or Modify Security Group Rule. The security group details page is displayed.
7. On the Inbound Rules tab, click Add Rule. Configure inbound rules based on Table 1.

   Table 1 Security group rules

   Backend Protocol	Action	Protocol & Port	Source IP Address
   HTTP or HTTPS	Allow	Protocol: TCP Port: the port used by the backend server and health check port	Backend subnet of the load balancer
   TCP	Allow	Protocol: TCP Port: health check port
   UDP	Allow	Protocol: UDP and ICMP Port: health check port

   

   • After a load balancer is created, do not change the subnet. If the subnet is changed, the IP addresses occupied by the load balancer will not be released, and traffic from the previous backend subnet to backend servers is still need to be allowed.
   • Traffic from the new backend subnet is also need to be allowed to backend servers.
8. Click OK.

Configuring Network ACL Rules

To control traffic in and out of a subnet, you can associate a network ACL with the subnet. Network ACL rules control access to subnets and add an additional layer of defense to your subnets.

Default network ACL rules deny all inbound and outbound traffic. You can configure inbound rules to allow traffic from the backend subnet of the load balancer over the ports of backend servers.

• If the load balancer is in the same subnet as the backend servers, network ACL rules will not take effect. In this case, the backend servers will be considered healthy and can be accessed by the clients.
• If the load balancer is not in the same subnet as the backend servers, network ACL rules will take effect. In this case, the backend servers will be considered unhealthy and cannot be accessed by the clients.

1. Log in to the management console.
2. In the upper left corner of the page, click and select the desired region and project.
3. Click in the upper left corner to display Service List and choose Networking > Virtual Private Cloud.
4. In the navigation pane on the left, choose Access Control > Network ACLs.
5. In the network ACL list, locate the target network ACL and click its name.
6. On the Inbound Rules or Outbound Rules tab, click Add Rule to add inbound or outbound rules.
   • Action: Select Allow.
   • Type: Select the same type as the backend subnet of the load balancer.
   • Protocol: The protocol must be the same as the backend protocol.
   • Source: Set it to the backend subnet of the load balancer.
   • Source Port Range: Select a port range.
   • Destination: Enter a destination address allowed in this direction. The default value is 0.0.0.0/0, which indicates that traffic to all IP addresses is permitted.
   • Destination Port Range: Select a port range.
   • (Optional) Description: Describe the network ACL rule.
7. Click OK.