IBM Cloud Docs
Integrating an application load balancer with security groups

Integrating an application load balancer with security groups

The IBM Cloud® Application Load Balancer for VPC (ALB) allows you to attach security groups to enhance your application's security.

Security groups are a convenient way to secure your ALB instances. With a security group attached to your load balancer, you have full control over inbound and outbound traffic to and from the load balancer's listeners and its back-end targets. This feature also makes it convenient to tighten the security posture of the load balancers' back-end targets. Instead of identifying the load balancers using their IP addresses or CIDR range, back-end targets can simply use the load balancer's security group as the source in their own security group definition. This ensures that traffic from all load balancer appliances is allowed automatically, irrespective of their IP addresses.

Network traffic rules

The following tables provide best practices for inbound and outbound traffic for both public and private application load balancers.

Public Application Load Balancer

Inbound rules

Configuration information for inbound rules of public load balancers
Protocol Source Type Source Value
TCP IP Address 0.0.0.0/0 Listener port

In a typical use case, it is common to allow inbound traffic from all sources to the listener port on a public load balancer.

Configuration information for inbound rules of public load balancers from a specific CIDR
Protocol Source Type Source Value
TCP IP Address 209.173.53.167/20 Listener port

However, if your requirements need to restrict inbound traffic, you may specify a source CIDR, such as 209.173.53.167/20. This will allow all public IP addresses within the IP range to reach the public load balancer.

Outbound rules

Configuration information for outbound rules of public load balancers
Protocol Destination type Destination Value
TCP Security group Back-end target Back-end target port
TCP Security group Back-end target Health check port

Ensure that your back-end targets are in a security group and configured as the destination in the outbound rules. Using a nested security group allows your ALB to allow only outbound traffic to the back-end target and health check ports.

You can configure the outbound rule to be more permissive than shown (for example, allow all traffic to any destination). However, for security reasons, this is not recommended.

Private Application Load Balancer

Inbound rules

Configuration information for inbound rules for private load balancers
Protocol Source type Source Value
TCP IP address Subnet CIDR or VPC security group Listener port

It is typical to limit the inbound rules for a private load balancer to your own workload. Ensure that you specify the source from a specific subnet CIDR, or a security group that the source devices belong to. Using a specific CIDR, or nested security group, is preferred; however, individual IP addresses also work.

A nested security group is an option only when clients are in the same VPC. If the clients are in a different VPC or on-premises, connected to the load balancer’s VPC through Transit Gateway or Direct Link, you must identify the clients using IP addresses or CIDRs.

Outbound rules

Configuration information for outbound rules for private load balancers
Protocol Destination type Destination Value
TCP Security group Back-end target security group Back-end target port
TCP Security group Back-end target security group Health check port(if different from the back-end target port)

Ensure that your back-end targets are in a security group and configured as the destination in the outbound rules. Using a nested security group enables your ALB to allow only outbound traffic to the back-end target and health check ports.

In addition, your back-end targets must have connectivity to the DNS resolver in order to resolve your load balancer's name. This is because load balancers are accessed through their DNS name.

Attaching a security group during load balancer provisioning

You can attach up to five security groups when creating an application load balancer. If you do not specify a security group during load balancer creation, the default security group for your VPC is used.

If you do not select at least one security group, it is recommended that you update your default security group rules to minimize disruption in load balancer traffic on newly created application load balancers.

Prerequisite: Configure security groups and rules

Ensure that the security groups exist that you want to attach to your ALB. Also make sure that their rules are configured for load balancer traffic. If you need to create a security group, follow these steps. Alternatively, you can use IBM Cloud VPC APIDOCS to create a security group.

To create a security group using the UI:

  1. From your browser, open the IBM Cloud console and log in to your account.

  2. Select the Navigation Menu Navigation Menu icon, then click > Infrastructure > Network > Security groups.

  3. Click Create.

  4. Provide a unique name for your security group.

  5. Select the VPC for your security group. The security group must be created in the same VPC as the load balancer.

  6. Click Add to configure inbound and outbound rules that define what type of traffic is allowed to and from the security group. For each rule, complete the following information:

    • Specify a CIDR block or IP address for the permitted traffic. Alternatively, you can specify a security group in the same VPC to allow traffic to or from all sources that are attached to the selected security group.
    • Select the protocols and ports to which the rule applies. For best practices about network rules, see Network traffic rules.

    Tips:

    • All rules are evaluated, regardless of the order in which they're added.
    • Rules are stateful, which means that return traffic in response to allowed traffic is automatically permitted. For example, if you create a rule that allows inbound TCP traffic on port 80, that rule also allows replying outbound TCP traffic on port 80 back to the originating host, without the need for another rule.
  7. Optional: Edit the interfaces if you're planning to apply this security group to your other instances. Attaching security groups is performed in the load balancer section.

  8. Click Create security group after you finish creating rules.

Security group example

For example, configure the following inbound rules, which allow all traffic on port 80 for an HTTP listener (TCP port 80).

Example configuration information for inbound rules
Protocol Source type Source Value
TCP Any 0.0.0.0/0 Port 80

Then, configure outbound rules that allow TCP traffic to your back-end target:

Example configuration information for outbound rules
Protocol Destination type Destination Value
TCP Any 10.11.12.13/32 (Back-end target IP address) 80 (Back-end target port)
TCP Any 10.11.12.14/32 (Back-end target IP address) 80 (Back-end target health check port)

Procedure: Attaching security groups during ALB creation

To attach security groups when creating your application load balancer, follow these steps:

  1. From your browser, open the IBM Cloud console and log in to your account.
  2. Select the Navigation Menu Navigation Menu icon, then click Infrastructure > Network > Load balancers.
  3. Click Create.
  4. Configure the name, VPC, type, subnet, listeners, and pools as needed.
  5. Select the checkboxes of the security groups that you want to attach from the security group table.
  6. Click Create to provision the load balancer.

Make sure your security group rules allow for load balancer traffic. Ensure your listener, pool, and health check ports are allowed in your security group.

Attaching and detaching security groups

To attach a security group to an existing load balancer, follow these steps:

Load balancers created prior to 25 February 2021 do not have a security group attached and allow all inbound and outbound traffic. If you attach a security group to a load balancer that does not have a security group, you cannot revert back to having no security groups. You can revert to the previous "allow all inbound and outbound traffic" behavior by attaching a security group with rules for allowing all inbound and outbound traffic. However, such a rule is inherently less secure than having a more restrictive security group in place, and is not recommended.

  1. From your browser, open the IBM Cloud console and log in to your account.
  2. Select the Navigation Menu Navigation Menu icon, then click Infrastructure > Network > Load balancers.
  3. From the list of load balancers, select the load balancer to view its details page.
  4. Click the Attached security groups tab to view attached security groups.
  5. To attach one or more security groups, click Attach. You can select a maximum of five security groups to attach to an ALB.
  6. Select the security group to attach.
  7. Click Attach.

To detach a security group from a load balancer, follow these steps:

  1. From your browser, open the IBM Cloud console and log in to your account.
  2. Select the Navigation Menu Navigation Menu icon, then click Infrastructure > Network > Load balancers.
  3. From the list of load balancers, select the load balancer to view its details page.
  4. Click the Attached security groups tab to view attached security groups.
  5. To detach a security group, click the security group's Action menu Actions icon.
  6. Click Detach.