Updated on 2026-06-16 GMT+08:00

Enabling ICMP Security Group Rules

Scenario

When using a UDP load balancer, health checks also use UDP. Since UDP is connectionless, ICMP is required to verify network connectivity. Therefore, ICMP security group rules must be enabled for backend servers. For details, see How Does ELB Perform UDP Health Checks? What Are the Precautions for UDP Health Checks?

Procedure

  1. Log in to the VPC console and choose Access Control > Security Groups.
  2. In the security group list, locate the security group of the cluster. Click Manage Rules in the Operation column. On the page displayed, click Add Rule to add the inbound rules below.

    Cluster Type

    Load Balancer Type

    Security Group

    Protocol & Port

    Allowed Source CIDR Block

    CCE Standard

    Shared

    Node security group, which is named in the format of "{Cluster name}-cce-node-{Random ID}".

    If a custom node security group is bound to the cluster, select the target security group.

    All ICMP ports

    100.125.0.0/16 for the shared load balancer

    Dedicated

    Node security group, which is named in the format of "{Cluster name}-cce-node-{Random ID}".

    If a custom node security group is bound to the cluster, select the target security group.

    All ICMP ports

    Backend subnet of the load balancer

    To obtain subnet CIDR blocks, log in to the ELB console, choose Load Balancers, and click the name of the target load balancer. On the Summary tab, click the link following the backend subnet.

    CCE Turbo

    Shared

    Node security group, which is named in the format of "{Cluster name}-cce-node-{Random ID}".

    If a custom node security group is bound to the cluster, select the target security group.

    All ICMP ports

    100.125.0.0/16 for the shared load balancer

    Dedicated

    ENI security group, which is named in the format of "{Cluster name}-cce-eni-{Random ID}".

    If a custom security group is bound to the cluster, select the target security group.

    All ICMP ports

    Backend subnet of the load balancer

    To obtain subnet CIDR blocks, log in to the ELB console, choose Load Balancers, and click the name of the target load balancer. On the Summary tab, click the link following the backend subnet.

    Figure 1 Adding a security group rule

  3. Click OK.