Integrating an application load balancer with security groups
The IBM Cloud® Application Load Balancer for VPC (ALB) allows you to attach security groups to enhance your application's security.
Security groups are a convenient way to secure your ALB instances. With a security group attached to your load balancer, you have full control over inbound and outbound traffic to and from the load balancer's listeners and its back-end targets. This feature also makes it convenient to tighten the security posture of the load balancers' back-end targets. Instead of identifying the load balancers using their IP addresses or CIDR range, back-end targets can simply use the load balancer's security group as the source in their own security group definition. This ensures that traffic from all load balancer appliances is allowed automatically, irrespective of their IP addresses.
Network traffic rules
The following tables provide best practices for inbound and outbound traffic for both public and private application load balancers.
Public Application Load Balancer
Inbound rules
Protocol | Source Type | Source | Value |
---|---|---|---|
TCP | IP Address | 0.0.0.0/0 | Listener port |
In a typical use case, it is common to allow inbound traffic from all sources to the listener port on a public load balancer.
Protocol | Source Type | Source | Value |
---|---|---|---|
TCP | IP Address | 209.173.53.167/20 | Listener port |
However, if your requirements need to restrict inbound traffic, you may specify a source CIDR, such as 209.173.53.167/20
. This will allow all public IP addresses within the IP range to reach the public load balancer.
Outbound rules
Protocol | Destination type | Destination | Value |
---|---|---|---|
TCP | Security group | Back-end target |
Back-end target port |
TCP | Security group | Back-end target |
Health check port |
Ensure that your back-end targets are in a security group and configured as the destination in the outbound rules. Using a nested security group allows your ALB to allow only outbound traffic to the back-end target and health check ports.
You can configure the outbound rule to be more permissive than shown (for example, allow all traffic to any destination). However, for security reasons, this is not recommended.
Private Application Load Balancer
Inbound rules
Protocol | Source type | Source | Value |
---|---|---|---|
TCP | IP address | Subnet CIDR or VPC security group |
Listener port |
It is typical to limit the inbound rules for a private load balancer to your own workload. Ensure that you specify the source from a specific subnet CIDR, or a security group that the source devices belong to. Using a specific CIDR, or nested security group, is preferred; however, individual IP addresses also work.
A nested security group is an option only when clients are in the same VPC. If the clients are in a different VPC or on-premises, connected to the load balancer’s VPC through Transit Gateway or Direct Link, you must identify the clients using IP addresses or CIDRs.
Outbound rules
Protocol | Destination type | Destination | Value |
---|---|---|---|
TCP | Security group | Back-end target security group |
Back-end target port |
TCP | Security group | Back-end target security group |
Health check port (if different from the back-end target port) |
Ensure that your back-end targets are in a security group and configured as the destination in the outbound rules. Using a nested security group enables your ALB to allow only outbound traffic to the back-end target and health check ports.
In addition, your back-end targets must have connectivity to the DNS resolver in order to resolve your load balancer's name. This is because load balancers are accessed through their DNS name.
Attaching a security group during load balancer provisioning
You can attach up to five security groups when creating an application load balancer. If you do not specify a security group during load balancer creation, the default security group for your VPC is used.
If you do not select at least one security group, it is recommended that you update your default security group rules to minimize disruption in load balancer traffic on newly created application load balancers.
Prerequisite: Configure security groups and rules
Ensure that the security groups exist that you want to attach to your ALB. Also make sure that their rules are configured for load balancer traffic. If you need to create a security group, follow these steps. Alternatively, you can use IBM Cloud VPC APIDOCS to create a security group.
To create a security group using the UI:
-
From your browser, open the IBM Cloud console and log in to your account.
-
Select the Navigation Menu , then click > Infrastructure > Network > Security groups.
-
Click Create.
-
Provide a unique name for your security group.
-
Select the VPC for your security group. The security group must be created in the same VPC as the load balancer.
-
Click Add to configure inbound and outbound rules that define what type of traffic is allowed to and from the security group. For each rule, complete the following information:
- Specify a CIDR block or IP address for the permitted traffic. Alternatively, you can specify a security group in the same VPC to allow traffic to or from all sources that are attached to the selected security group.
- Select the protocols and ports to which the rule applies. For best practices about network rules, see Network traffic rules.
Tips:
- All rules are evaluated, regardless of the order in which they're added.
- Rules are stateful, which means that return traffic in response to allowed traffic is automatically permitted. For example, if you create a rule that allows inbound TCP traffic on port 80, that rule also allows replying outbound TCP traffic on port 80 back to the originating host, without the need for another rule.
-
Optional: Edit the interfaces if you're planning to apply this security group to your other instances. Attaching security groups is performed in the load balancer section.
-
Click Create security group after you finish creating rules.
Security group example
For example, configure the following inbound rules, which allow all traffic on port 80 for an HTTP listener (TCP port 80).
Protocol | Source type | Source | Value |
---|---|---|---|
TCP | Any | 0.0.0.0/0 |
Port 80 |
Then, configure outbound rules that allow TCP traffic to your back-end target:
Protocol | Destination type | Destination | Value |
---|---|---|---|
TCP | Any | 10.11.12.13/32 (Back-end target IP address) |
80 (Back-end target port) |
TCP | Any | 10.11.12.14/32 (Back-end target IP address) |
80 (Back-end target health check port) |
Procedure: Attaching security groups during ALB creation
To attach security groups when creating your application load balancer, follow these steps:
- From your browser, open the IBM Cloud console and log in to your account.
- Select the Navigation Menu , then click Infrastructure > Network > Load balancers.
- Click Create.
- Configure the name, VPC, type, subnet, listeners, and pools as needed.
- Select the checkboxes of the security groups that you want to attach from the security group table.
- Click Create to provision the load balancer.
Make sure your security group rules allow for load balancer traffic. Ensure your listener, pool, and health check ports are allowed in your security group.
Attaching and detaching security groups
To attach a security group to an existing load balancer, follow these steps:
Load balancers created prior to 25 February 2021 do not have a security group attached and allow all inbound and outbound traffic. If you attach a security group to a load balancer that does not have a security group, you cannot revert back to having no security groups. You can revert to the previous "allow all inbound and outbound traffic" behavior by attaching a security group with rules for allowing all inbound and outbound traffic. However, such a rule is inherently less secure than having a more restrictive security group in place, and is not recommended.
- From your browser, open the IBM Cloud console and log in to your account.
- Select the Navigation Menu , then click Infrastructure > Network > Load balancers.
- From the list of load balancers, select the load balancer to view its details page.
- Click the Attached security groups tab to view attached security groups.
- To attach one or more security groups, click Attach. You can select a maximum of five security groups to attach to an ALB.
- Select the security group to attach.
- Click Attach.
To detach a security group from a load balancer, follow these steps:
- From your browser, open the IBM Cloud console and log in to your account.
- Select the Navigation Menu , then click Infrastructure > Network > Load balancers.
- From the list of load balancers, select the load balancer to view its details page.
- Click the Attached security groups tab to view attached security groups.
- To detach a security group, click the security group's Action menu .
- Click Detach.