- Release Notes and Announcements
- CLB Release Notes
- [April 15, 2024] Domain Name Upgrade for Domain Name-based Public Network CLB
- [July 25, 2023] Adding Rate Limits on Shared CLB Instances
- [July 3, 2023] CLB API Authentication Upgrade
- [June 9, 2023] Adjusting the Grace Period for Pay-as-you-go CLB Instances
- [March 6, 2023] Launching Domain Name-Based Public CLBs
- [Feb. 24, 2023] Changing Health Check Source IP to 100.64.0.0/10 IP Range
- [July 8, 2022] Classic CLB Upgrade Prompt
- 【October 20, 2021】Classic CLB End-of-Sale Notice
- 【April 27, 2021】Announcement on the Authentication Upgrade for Certain CLB APIs
- Product Introduction
- Purchase Guide
- Getting Started
- Directions
- CLB Instance
- Directions for Upgrading to Domain Name-Based CLB
- Creating CLB Instances
- Creating an IPv6 CLB Instance
- Creating IPv6 NAT64 CLB Instances
- Creating an Anycast CLB Instance
- Configure CLB Forwarding Domain Name
- Configuring CLB Security Group
- Binding Private Network CLB to EIP
- Enabling or Disabling a CLB Instance
- Cloning CLB Instances
- Exporting CLB Instances
- Upgrade to a LCU-supported instances
- Adjusting Specification of LCU-supported CLBs
- Deleting CLB Instances
- Releasing Idle CLB Instances
- Configuring Deletion Protection
- Adjusting Instance Public Network Configurations
- CLB Listener
- CLB Listener Overview
- Configuring TCP Listener
- Configuring a UDP Listener
- Configuring TCP SSL Listener
- Configuring a QUIC Listener
- Configuring an HTTP Listener
- Configuring HTTPS Listener
- Load Balancing Methods
- Session Persistence
- Layer-7 Redirection Configuration
- Layer-7 Custom Configuration
- Layer-7 Domain Name Forwarding and URL Rules
- Using QUIC Protocol on CLB
- SNI Support for Binding Multiple Certificates to a CLB Instance
- Configuring gRPC Support for Layer-7 Protocols
- Real Server
- Health Check
- Certificate Management
- Log Management
- Monitoring and Alarm
- Cloud Access Management
- Classic CLB
- CLB Instance
- Best Practices
- Enabling Gzip Compression & Testing
- HTTPS Forwarding Configurations
- Obtaining Real Client IPs
- Best Practices for Configuring Load Balancing Monitoring Alerts
- Implementing HA Across Multiple AZs
- Load Balancing Algorithm Selection and Weight Configuration Examples
- Configuring WAF protection for CLB listening domain names
- Ops Guide
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance APIs
- Listener APIs
- Backend Service APIs
- Target Group APIs
- Redirection APIs
- Other APIs
- ModifyLoadBalancersProject
- InquiryPriceCreateLoadBalancer
- InquiryPriceModifyLoadBalancer
- InquiryPriceRenewLoadBalancer
- DescribeLoadBalancerTraffic
- DescribeTaskStatus
- DescribeClsLogSet
- CreateClsLogSet
- CreateTopic
- CreateLoadBalancerSnatIps
- DeleteLoadBalancerSnatIps
- SetLoadBalancerSecurityGroups
- SetSecurityGroupForLoadbalancers
- ReplaceCertForLoadBalancers
- DescribeLoadBalancerListByCertId
- SetLoadBalancerClsLog
- DescribeQuota
- DescribeResources
- Classic CLB APIs
- Load Balancing APIs
- Data Types
- Error Codes
- CLB API 2017
- FAQs
- Service Level Agreement
- Contact Us
- Glossary
- Release Notes and Announcements
- CLB Release Notes
- [April 15, 2024] Domain Name Upgrade for Domain Name-based Public Network CLB
- [July 25, 2023] Adding Rate Limits on Shared CLB Instances
- [July 3, 2023] CLB API Authentication Upgrade
- [June 9, 2023] Adjusting the Grace Period for Pay-as-you-go CLB Instances
- [March 6, 2023] Launching Domain Name-Based Public CLBs
- [Feb. 24, 2023] Changing Health Check Source IP to 100.64.0.0/10 IP Range
- [July 8, 2022] Classic CLB Upgrade Prompt
- 【October 20, 2021】Classic CLB End-of-Sale Notice
- 【April 27, 2021】Announcement on the Authentication Upgrade for Certain CLB APIs
- Product Introduction
- Purchase Guide
- Getting Started
- Directions
- CLB Instance
- Directions for Upgrading to Domain Name-Based CLB
- Creating CLB Instances
- Creating an IPv6 CLB Instance
- Creating IPv6 NAT64 CLB Instances
- Creating an Anycast CLB Instance
- Configure CLB Forwarding Domain Name
- Configuring CLB Security Group
- Binding Private Network CLB to EIP
- Enabling or Disabling a CLB Instance
- Cloning CLB Instances
- Exporting CLB Instances
- Upgrade to a LCU-supported instances
- Adjusting Specification of LCU-supported CLBs
- Deleting CLB Instances
- Releasing Idle CLB Instances
- Configuring Deletion Protection
- Adjusting Instance Public Network Configurations
- CLB Listener
- CLB Listener Overview
- Configuring TCP Listener
- Configuring a UDP Listener
- Configuring TCP SSL Listener
- Configuring a QUIC Listener
- Configuring an HTTP Listener
- Configuring HTTPS Listener
- Load Balancing Methods
- Session Persistence
- Layer-7 Redirection Configuration
- Layer-7 Custom Configuration
- Layer-7 Domain Name Forwarding and URL Rules
- Using QUIC Protocol on CLB
- SNI Support for Binding Multiple Certificates to a CLB Instance
- Configuring gRPC Support for Layer-7 Protocols
- Real Server
- Health Check
- Certificate Management
- Log Management
- Monitoring and Alarm
- Cloud Access Management
- Classic CLB
- CLB Instance
- Best Practices
- Enabling Gzip Compression & Testing
- HTTPS Forwarding Configurations
- Obtaining Real Client IPs
- Best Practices for Configuring Load Balancing Monitoring Alerts
- Implementing HA Across Multiple AZs
- Load Balancing Algorithm Selection and Weight Configuration Examples
- Configuring WAF protection for CLB listening domain names
- Ops Guide
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance APIs
- Listener APIs
- Backend Service APIs
- Target Group APIs
- Redirection APIs
- Other APIs
- ModifyLoadBalancersProject
- InquiryPriceCreateLoadBalancer
- InquiryPriceModifyLoadBalancer
- InquiryPriceRenewLoadBalancer
- DescribeLoadBalancerTraffic
- DescribeTaskStatus
- DescribeClsLogSet
- CreateClsLogSet
- CreateTopic
- CreateLoadBalancerSnatIps
- DeleteLoadBalancerSnatIps
- SetLoadBalancerSecurityGroups
- SetSecurityGroupForLoadbalancers
- ReplaceCertForLoadBalancers
- DescribeLoadBalancerListByCertId
- SetLoadBalancerClsLog
- DescribeQuota
- DescribeResources
- Classic CLB APIs
- Load Balancing APIs
- Data Types
- Error Codes
- CLB API 2017
- FAQs
- Service Level Agreement
- Contact Us
- Glossary
Overview of CVM Security Group
The backend CVM instances of CLB can perform access control through Security Group, which acts as a firewall.
You can associate one or more security groups with a backend CVM, and add one or more rules to each security group to control the traffic access permissions of different servers. You can modify the rules for a security group at any time, and the new rules are automatically applied to all instances associated with that security group. For more information, see the Security Group. In a VPC as instructed in Overview, you can also use a network ACL as instructed in Rule Overview for access control.
Configuration of CVM Security Group
You need to allow the client IP and open the service port in the CVM security group.
If you want to use a CLB instance to forward business traffic to your CVM instance, the CVM security group should be configured as follows to ensure effective health checks:
1. Public network CLB: You need to allow the CLB VIP in the security group of the backend CVM, so that the CLB instance can use the VIP to check the health status of the backend CVM.
2. Private network CLB:
For private network CLB (formerly called the application private network CLB), if your CLB instance is in a VPC, the CLB VIP needs to be allowed in the security group of the backend CVM for health checks; if your CLB instance is in a basic network, no additional configuration is needed as the health check IP is allowed by default.
For classic private network CLB, if your CLB instance was created before December 5, 2016 and is in a VPC, the CLB VIP needs to be allowed in the security group of the backend CVM for health checks; otherwise, no additional configuration is needed as the health check IP is allowed by default.
Configuration Sample
This example shows a sample of configuring CVM security groups when accessing a CVM through the CLB. To configure the rules of CLB security groups, please see Configuring CLB Security Group.
Application Scenario 1:
For a public network CLB configured with a TCP:80 listener and a backend service port 8080, if you want to allow only the ClientA IP and ClientB IP to access the CLB, you need to configure the inbound rules of the backend CVM security group as follows:
ClientA IP + 8080 allowClientB IP + 8080 allowCLB VIP + 8080 allow0.0.0.0/0 + 8080 drop
Application Scenario 2:
For a public network CLB configured with a HTTP:80 listener and a backend service port 8080, if you want to allow all Client IPs to access the CLB, you need to configure the inbound rules of the backend CVM security group as follows:
0.0.0.0/0 + 8080 allow
Application Scenario 3:
Allow the CLB VIP on the CVM security group to perform health check. For a private network CLB (formerly "application private network CLB") using a VPC and configured with TCP:80 listener and real server port 8080, if you want to only allow the Client IPs (ClientA IP and ClientB IP) to access the CLB VIP, and to restrict Client IP to only access backend CVMs bound with the CLB,
a. Configure the security group inbound rules for the real server as follows:
ClientA IP + 8080 allowClientB IP + 8080 allowCLB VIP + 8080 allow0.0.0.0/0 + 8080 drop
b. Configure the security group outbound rules for the server used as Client as follows:
CLB VIP + 8080 allow0.0.0.0/0 + 8080 drop
Application Scenario 4:
After December 5, 2016, for a newly purchased classic private network CLB using a VPC, you need to allow the Client IP only for the CVM security group. It is not necessary to allow the CLB VIP, and the health check IP is allowed by default. Configure this CLB with TCP:80 listener and real server port 8080. If you want to only allow the Client IPs (ClientA IP and ClientB IP) to access the CLB VIP, and to restrict Client IPs to only access backend CVMs bound with the CLB,
a. Configure the security group inbound rules for the real server as follows:
ClientA IP + 8080 allowClientB IP + 8080 allow0.0.0.0/0 + 8080 drop
b. Configure the security group outbound rules for the server used as Client as follows:
CLB VIP + 8080 allow0.0.0.0/0 + 8080 drop
Application Scenario 5: Blocklist
If you need to configure a blocklist for some client IPs to deny their access requests, you can configure the security group associated with the cloud services. The security group rules need to be configured as follows:
Add the Client IP and port to be rejected into the security group, and select the option in the policy column to reject access from this IP.
Add another security group rule after completing the above configuration to allow access requests to the port from all IPs by default.
When the configuration completes, the security group rules are as follows:
clientA IP + port dropclientB IP + port drop0.0.0.0/0 + port accept
Note:
Follow the steps above strictly in the given order, otherwise the blocklist configuration may fail.
The security group is stateful. The above configurations are all configurations of inbound rules.
Operation Guide of CVM Security Groups
Managing Backend CVM Security Groups Using the Console
1. Log into the CLB Console and click the corresponding CLB instance ID to enter the CLB details page.
2. On the page of CVMs bound to the CLB, click the target backend CVM ID to enter the CVM details page.
3. Click the Security Group tab. On the tab, bind/unbind a security group.
Yes
No
Was this page helpful?