Security Group and Network ACL Rules

Scenarios

To ensure normal communications between the load balancer and backend servers, you need to check the security group and network ACL rules.

Security group rules of backend servers must allow traffic from the backend subnet where the load balancer is created to the backend servers. (By default, the backend subnet of a load balancer is the same as the subnet where the load balancer works.) For details about how to configure security group rules, see Configuring Security Group Rules for Backend Servers.

Network ACL rules are optional for subnets. If network ACL rules are configured for the subnet where the backend servers are deployed, the rules must allow traffic from the backend subnet of the load balancer to the subnet of the backend servers. For details about how to configure network ACL rules, see Configuring Network ACL Rules.

If a dedicated load balancer has Layer 4 listeners and IP as a backend is disabled, security group and network ACL rules will be ignored even if you have configured rules to allow traffic.

You can use access control to limit which IP addresses are allowed or denied to access the listener. For details, see What Is Access Control?

Constraints

If health check is enabled for a backend server group, security group rules must allow traffic over the health check port and protocol.
If UDP is used for health check, there must be a rule that allows ICMP traffic to check the health of the backend servers.

Default Security Group Rules

Note the following when using default security group rules:

Inbound rules control incoming traffic to instances in the default security group. The instances can communicate with each other but cannot be accessed from external networks.
Outbound rules allow all traffic from the instances in the default security group to external networks.

Figure 1 Default security group

Table 1 describes the default rules for the default security group.

**Table 1** Rules in the default security group
Direction	Action	Type	Protocol & Port	Source/Destination	Description
Inbound	Allow	IPv4	All	Source: default security group (default)	Allows IPv4 instances in the security group to communicate with each other using any protocol over any port.
Inbound	Allow	IPv6	All	Source: default security group (default)	Allows IPv6 instances in the security group to communicate with each other using any protocol over any port.
Outbound	Allow	IPv4	All	Destination: 0.0.0.0/0	Allows all traffic from the instances in the security group to any IPv4 address over any port.
Outbound	Allow	IPv6	All	Destination: ::/0	Allows all traffic from the instances in the security group to any IPv6 address over any port.

Requirements on the Security Group Rules of Backend Servers

The default security group denies all external requests but allows all instances in the security group to access external networks. So you only need to configure inbound security group rules to allow all traffic over the health check protocol and port. If you have configured outbound security group rules, ensure that outbound traffic is allowed over the associated protocols, ports, and IP addresses.

**Table 2** Security group rules for backend servers using TCP
Direction	Priority	Action	Type	Protocol & Port	Source
Inbound	1	Allow	Determined by the source IP address type	TCP: health check port	IP address: CIDR block of the backend subnet where the load balancer is created
Outbound	1	Allow	Determined by the source IP address type	TCP: health check port	IP address: CIDR block of the backend subnet where the load balancer is created

**Table 3** Security group rules for backend servers using UDP
Direction	Priority	Action	Type	Protocol & Port	Source
Inbound	1	Allow	Determined by the source IP address type	UDP: health check port	IP address: CIDR block of the backend subnet where the load balancer is created
Inbound	1	Allow	Determined by the source IP address type	ICMP: All	IP address: CIDR block of the backend subnet where the load balancer is created
Outbound	1	Allow	Determined by the source IP address type	UDP: health check port	IP address: CIDR block of the backend subnet where the load balancer is created
Outbound	1	Allow	Determined by the source IP address type	ICMP: All	IP address: CIDR block of the backend subnet where the load balancer is created

**Table 4** Security group rules for backend servers using HTTP or HTTPS
Direction	Priority	Action	Type	Protocol & Port	Source
Inbound	1	Allow	Determined by the source IP address type	TCP: backend server port and health check port	IP address: CIDR block of the backend subnet where the load balancer is created
Outbound	1	Allow	Determined by the source IP address type	TCP: backend server port and health check port	IP address: CIDR block of the backend subnet where the load balancer is created

Configuring Security Group Rules for Backend Servers

By default, a VPC security group allows instances in it to communicate with each other and access external networks, but it denies access from external networks. To ensure that the load balancer can communicate with backend servers over both the listener port and health check port, you need to configure inbound security group rules to allow inbound traffic to backend servers over both ports.

Log in to the ECS console.
In the ECS list, click the name of the target ECS.
The ECS details page is displayed.
Click the Security Groups tab, locate the security group, click its name, and view security group rules.
On the Inbound Rules tab, click Add Rule. Configure inbound rules based on Requirements on the Security Group Rules of Backend Servers.
- After a load balancer is created, do not change the subnet. If the subnet is changed, the IP addresses occupied by the load balancer will not be released, and traffic from the previous backend subnet to backend servers still needs to be allowed.
- Traffic from the new backend subnet also needs to be allowed to backend servers.
Click OK.

Configuring Network ACL Rules

To control traffic in and out of a subnet, you can associate a network ACL with the subnet. Network ACL rules control access to subnets and add an additional layer of defense to your subnets.

Default network ACL rules deny all inbound and outbound traffic. You can configure inbound rules to allow traffic from the backend subnet of the load balancer over the ports of backend servers.

If the load balancer is in the same subnet as the backend servers, network ACL rules will not take effect. In this case, the backend servers will be considered healthy and can be accessed by the clients.
If the load balancer is not in the same subnet as the backend servers, network ACL rules will take effect. In this case, the backend servers will be considered unhealthy and cannot be accessed by the clients.

Go to the network ACL list page.
In the network ACL list, locate the target network ACL and click its name.
On the Inbound Rules or Outbound Rules tab, click Add Rule to add inbound or outbound rules.
- Action: Select Allow.
- Type: Select the same type as the backend subnet of the load balancer.
- Protocol: The protocol must be the same as the backend protocol.
- Source: Set it to the backend subnet of the load balancer.
- Source Port Range: Select a port range.
- Destination: Enter a destination address allowed in this direction. The default value is 0.0.0.0/0, which indicates that traffic to all IP addresses is permitted.
- Destination Port Range: Select a port range.
- (Optional) Description: Describe the network ACL rule.
Click OK.

Parent Topic: Backend Server

Previous topic: Backend Server Overview

Next topic: Adding Backend Servers in the Same VPC as a Load Balancer

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.

Chatbot