Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security groups for your Network Load Balancer

You can associate a security group with your Network Load Balancer to control the traffic that is allowed to reach and leave the load balancer. You specify the ports, protocols, and sources to allow for inbound traffic and the ports, protocols, and destinations to allow for outbound traffic. If you don't assign a security group to your load balancer, all client traffic can reach the load balancer listeners and all traffic can leave the load balancer.

You can add a rule to the security groups associated with your targets that references the security group associated with your Network Load Balancer. This allows clients to send traffic to your targets through your load balancer, but prevents them from sending traffic directly to your targets. Referencing the security group associated with your Network Load Balancer in the security groups associated with your targets ensures that your targets accept traffic from your load balancer even if you enable client IP preservation for your load balancer.

You are not charged for traffic that is blocked by inbound security group rules.

Considerations

Example: Filter client traffic

The following inbound rules in the security group associated with your Network Load Balancer allow only traffic that comes from the specified address range. If this is an internal load balancer, you can specify a VPC CIDR range as the source to allow only traffic from a specific VPC. If this is an internet-facing load balancer that must accept traffic from anywhere on the internet, you can specify 0.0.0.0/0 as the source.

† For more information, see Path MTU Discovery in the Amazon EC2 User Guide for Linux Instances.

Example: Accept traffic only from the load balancer

Suppose that your Network Load Balancer has a security group sg-111112222233333. Use the following rules in the security groups associated with your target instances to ensure that they accept traffic only from the Network Load Balancer. You must ensure that the targets accept traffic from the load balancer on both the target port and the health check port. For more information, see Target security groups.

Update the associated security groups

If you associated at least one security group with a load balancer when you created it, you can update the security groups for that load balancer at any time.

To update security groups using the Amazon CLI

Use the set-security-groups command.

Update the security settings

By default, we apply the inbound security group rules to all traffic sent to the load balancer. However, you might not want to apply these rules to traffic sent to the load balancer through Amazon PrivateLink, which can originate from overlapping IP addresses. In this case, you can configure the load balancer so that we do not apply the inbound rules for traffic sent to the load balancer through Amazon PrivateLink.

To update the security settings using the Amazon CLI

Use the set-security-groups command.

Monitor load balancer security groups

Use the SecurityGroupBlockedFlowCount_Inbound and SecurityGroupBlockedFlowCount_Outbound CloudWatch metrics to monitor the count of flows that are blocked by the load balancer security groups. Blocked traffic is not reflected in other metrics. For more information, see CloudWatch metrics for your Network Load Balancer.

Use VPC flow logs to monitor traffic that is accepted or rejected by the load balancer security groups. For more information, see VPC flow logs in the Amazon VPC User Guide.