Update the security groups for your Network Load Balancer
You can associate a security group with your Network Load Balancer to control the traffic that is allowed to reach and leave the Network Load Balancer. You specify the ports, protocols, and sources to allow for inbound traffic and the ports, protocols, and destinations to allow for outbound traffic. If you don't assign a security group to your Network Load Balancer, all client traffic can reach the Network Load Balancer listeners and all traffic can leave the Network Load Balancer.
You can add a rule to the security groups associated with your targets that references the security group associated with your Network Load Balancer. This allows clients to send traffic to your targets through your Network Load Balancer, but prevents them from sending traffic directly to your targets. Referencing the security group associated with your Network Load Balancer in the security groups associated with your targets ensures that your targets accept traffic from your Network Load Balancer even if you enable client IP preservation for your Network Load Balancer.
You are not charged for traffic that is blocked by inbound security group rules.
Contents
Considerations
-
You can associate security groups with a Network Load Balancer when you create it. If you create a Network Load Balancer without associating any security groups, you can't associate them with the Network Load Balancer later on. We recommend that you associate a security group with your Network Load Balancer when you create it.
-
After you create a Network Load Balancer with associated security groups, you can change the security groups associated with the Network Load Balancer at any time.
-
Health checks are subject to outbound rules, but not inbound rules. You must ensure that outbound rules don't block health check traffic. Otherwise, the Network Load Balancer considers the targets unhealthy.
-
You can control whether PrivateLink traffic is subject to inbound rules. If you enable inbound rules on PrivateLink traffic, the source of the traffic is the private IP address of the client, not the endpoint interface.
Example: Filter client traffic
The following inbound rules in the security group associated with your Network Load Balancer allow only traffic that comes from the specified address range. If this is an internal Network Load Balancer, you can specify a VPC CIDR range as the source to allow only traffic from a specific VPC. If this is an internet-facing Network Load Balancer that must accept traffic from anywhere on the internet, you can specify 0.0.0.0/0 as the source.
Protocol | Source | Port range | Comment |
---|---|---|---|
protocol |
client IP address range |
listener port |
Allows inbound traffic from the source CIDR on the listener port |
ICMP | 0.0.0.0/0 | All | Allows inbound ICMP traffic to support MTU or Path MTU Discovery † |
† For more information, see Path MTU Discovery in the Amazon EC2 User Guide.
Protocol | Destination | Port range | Comment |
---|---|---|---|
All | Anywhere | All | Allows all outbound traffic |
Example: Accept traffic only from the Network Load Balancer
Suppose that your Network Load Balancer has a security group sg-111112222233333. Use the following rules in the security groups associated with your target instances to ensure that they accept traffic only from the Network Load Balancer. You must ensure that the targets accept traffic from the Network Load Balancer on both the target port and the health check port. For more information, see Target security groups.
Protocol | Source | Port range | Comment |
---|---|---|---|
protocol |
sg-111112222233333 | target port |
Allows inbound traffic from the Network Load Balancer on the target port |
protocol |
sg-111112222233333 | health check |
Allows inbound traffic from the Network Load Balancer on the health check port |
Protocol | Destination | Port range | Comment |
---|---|---|---|
All | Anywhere | Any | Allows all outbound traffic |
Update the associated security groups
If you associated at least one security group with a Network Load Balancer when you created it, you can update the security groups for that Network Load Balancer at any time.
To update security groups using the console
Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/
. -
On the navigation pane, under Load Balancing, choose Load Balancers.
-
Select the Network Load Balancer.
-
On the Security tab, choose Edit.
-
To associate a security group with your Network Load Balancer, select it. To remove a security group from your Network Load Balancer, clear it.
-
Choose Save changes.
To update security groups using the Amazon CLI
Use the set-security-groups command.
Update the security settings
By default, we apply the inbound security group rules to all traffic sent to the Network Load Balancer. However, you might not want to apply these rules to traffic sent to the Network Load Balancer through Amazon PrivateLink, which can originate from overlapping IP addresses. In this case, you can configure the Network Load Balancer so that we do not apply the inbound rules for traffic sent to the Network Load Balancer through Amazon PrivateLink.
To update the security settings using the console
Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/
. -
On the navigation pane, under Load Balancing, choose Load Balancers.
-
Select the Network Load Balancer.
-
On the Security tab, choose Edit.
-
Under Security setting, clear Enforce inbound rules on PrivateLink traffic.
-
Choose Save changes.
To update the security settings using the Amazon CLI
Use the set-security-groups command.
Monitor Network Load Balancer security groups
Use the SecurityGroupBlockedFlowCount_Inbound
and
SecurityGroupBlockedFlowCount_Outbound
CloudWatch metrics to
monitor the count of flows that are blocked by the Network Load Balancer security
groups. Blocked traffic is not reflected in other metrics. For more information,
see CloudWatch metrics for your Network Load Balancer.
Use VPC flow logs to monitor traffic that is accepted or rejected by the Network Load Balancer security groups. For more information, see VPC flow logs in the Amazon VPC User Guide.