Configuring CLB Security Group

Last updated: 2020-08-17 14:05:16

    After a CLB instance is created, you can configure a CLB security group to isolate public network traffic. This document describes how to configure CLB security groups in different modes.

    Use Limits

    • One CLB instance can be bound to five security groups at most.
    • There can be 0–65535 security group rules.
    • Security groups cannot be bound to classic private network CLB instances and private network CLB instances in the classic network. If a private network CLB instance is bound to an Anycast EIP, security groups bound to the instance will not take effect.
    • The "Allow Traffic by Default in Security Group" feature is in beta test. To try it out, please submit a ticket for application. This feature is not supported for classic private network CLB and CLB in the classic network.

    Background

    A security group is a virtual firewall that can filter stateful data packets and control outbound and inbound traffic at the instance level. For more information, please see Security Group Overview.

    A CLB security group is bound to a CLB instance, while a CVM security group is bound to a CVM instance. They target at different objects. CLB security groups can be generally configured in the following two modes:

    Enabling "Allow Traffic by Default in Security Group"


    After "Allow Traffic by Default in Security Group" is enabled:

    • If you want to allow access only from a specified client IP, you need to open the client IP and listening port to the internet in the CLB security group, but you don't need to open the client IP and service port in the backend CVM security group. Access traffic from CLB only needs to pass through the CLB security group, as the real server allows traffic from CLB by default and doesn't need to open the port.
    • Traffic from public IPs (including general public IPs and EIPs) still needs to pass through the CVM security group.
    • If a CLB instance has no security group configured, all traffic will be allowed, and only ports configured with listeners on the VIP of the CLB instance can be accessed; therefore, the listening port will allow traffic from all IPs.
    • To reject traffic from a specified client IP, you must do so in the CLB security group, as doing so in the CVM security group takes effect only for traffic from public IPs (including general public IPs and EIPs) but not for traffic from CLB.

    Disabling "Allow Traffic by Default in Security Group"


    After "Allow Traffic by Default in Security Group" is disabled:

    • If you want to only allow access from the specified client IP, you need to open the client IP and listening port to the internet in the CLB security group and open the client IP and service port in the backend CVM security group; therefore, business traffic passing through CLB will be double checked by both the CLB security group and CVM security group.
    • Traffic from public IPs (including general public IPs and EIPs) still needs to pass through the CVM security group.
    • If a CLB instance has no security group configured, all traffic will be allowed, and only ports configured with listeners on the VIP of the CLB instance can be accessed; therefore, the listening port will allow traffic from all IPs.
    • You can reject access in either the CLB security group or the CVM security group to reject traffic from a specified client IP.

    After "Allow Traffic by Default in Security Group" is disabled, the CVM security group should be configured as follows to ensure effective health checks:

    1. Configure public network CLB
      You need to open the CLB VIP to the internet on the backend CVM security group, so that CLB can use the VIP to detect the backend CVM health status.
    2. Configure private network CLB
      • For private network CLB (formerly "private network application CLB"), if your CLB instance is in a VPC, the CLB VIP needs to be opened to the internet in the backend CVM security group for health checks; if your CLB instance is in the classic network, no additional configuration is needed as the health check IP is opened to the internet by default.
      • For private network classic CLB, if your CLB instance was created before December 5, 2016 and is in a VPC, the CLB VIP needs to be opened to the internet (for health checks) in the backend CVM security group; otherwise, no additional configuration is needed as the health check IP is opened to the internet by default.

    Directions

    The following public network CLB security group configuration example only allows business traffic to enter from CLB port 80 and make CVM port 8080 provide services. It does not limit the client IP but supports access from any IP.

    Note:

    For the public network CLB instance used in this example, the CLB VIP needs to be opened to the internet in the backend CVM security group for health checks. The current IP 0.0.0.0/0 already contains the CLB VIP.

    Step 1. Create a CLB instance and listener and bind a CVM instance

    For more information, please see Getting Started with CLB. An HTTP:80 listener is created and bound to a backend CVM instance whose service port is 8080 in this example.

    Step 2. Configure a CLB security group

    1. Configure a CLB security group rule.
      Log in to the Security Group Console to configure a security group rule. In the inbound rule, open port 80 of all IPs (i.e., 0.0.0.0/0) to the internet and reject traffic from other ports.

      Note:

      • Security group rules are screened to take effect from top to bottom. If the new rule is put into effect, other rules will be denied by default; therefore, pay attention to their order.
      • A security group has inbound and outbound rules. The above configuration is intended to restrict inbound traffic and is therefore an inbound rule, while the outbound rule does not need to be specially configured.

    2. Bind the security group to the CLB instance

      1. Log in to the CLB Console and click the ID of the CLB instance to enter its details page.
      2. Select the Security Group tab and click Bind in the Bound Security Groups module.
      3. On the Configure Security Group window that pops up, select the security group bound to the CLB instance and click OK.

        The CLB security group configuration is completed, which only allows access to CLB from port 80.

    Step 3. Configure "Allow Traffic by Default in Security Group"

    You can choose to enable or disable "Allow Traffic by Default in Security Group" with different configurations as follows:

    • Method 1. Enable "Allow Traffic by Default in Security Group", so that the real server does not need to open the port to the internet.

      Note:

      The "Allow Traffic by Default in Security Group" feature is in beta test. To try it out, please submit a ticket for application. This feature is not supported for classic private network CLB and CLB in the classic network.

    • Method 2. Disable "Allow Traffic by Default in Security Group", and you also need to open the client IP to the internet (0.0.0.0/0 in this example) in the CVM security group.

    Method 1. Enable "Allow Traffic by Default in Security Group"

    1. On the CLB instance details page, select the Security Group tab.
    2. On the "Security Group" tab, click to enable "Allow Traffic by Default".
    3. After the "Allow Traffic by Default" feature is enabled, only security group rules in the rule preview as shown below need to be verified.

    Method 2. Disable "Allow Traffic by Default in Security Group"

    If "Allow Traffic by Default" is disabled, you need to open the client IP to the internet in the CVM security group. Business traffic is allowed to access CVM only from CLB port 80 and use services provided by CVM port 8080.

    Note:

    Traffic from a specified client IP can be allowed, but that must be done in both the CLB security group and CVM security group. In the absence of the former, only the latter needs to be opened to the internet.

    1. Configure a CVM security group rule
      A CVM security group can be configured to only allow access from service ports for traffic accessing the backend CVM instance.
      Go to the Security Group Console to configure a security group policy. In the inbound rule, open port 8080 of all IPs to the internet. To ensure smooth remote CVM login and ping services, open 22, 3389, and ICMP services in the security group.
    2. Bind the security group to the CVM instance
      1. In the CVM Console, click the ID of CVM instance bound to the CLB instance to enter the details page.
      2. Select the Security Group tab and click Bind in the Bound Security Groups module.
      3. On the Configure Security Group window that pops up, select the security group bound to the CVM instance and click OK.

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help