IBM Cloud Docs
Integrating a network load balancer with security groups

Integrating a network load balancer with security groups

The IBM Cloud® Network Load Balancer for VPC (NLB) allows you to attach security groups to enhance your application's security.

The following information does not apply to Private Path network load balancers.

Security groups are a convenient way to secure your NLB instances. With a security group attached to your load balancer, you have full control over inbound and outbound traffic to and from the load balancer's listeners and its targets. Instead of identifying the load balancers using their IP addresses or CIDR range, targets can simply use the load balancer's security group as the source in their own security group definition. This ensures that traffic from all load balancer appliances is automatically allowed, irrespective of their IP addresses.

If a network load balancer has no associated security groups, then the security group rules will allow all traffic and the filtration will be done at the VSI level (according to the iptables rules).

Network traffic rules

The following tables provide best practices for inbound and outbound traffic for both public and private network load balancers.

Public Network Load Balancer

Inbound rules

It is common to allow inbound traffic from all sources to the listener port on a public load balancer. For example:

Configuration information for inbound rules of public load balancers
Protocol Source Type Source Value
TCP IP Address 0.0.0.0/0 Listener port

However, if you need to restrict inbound traffic, you can specify a source CIDR, such as 209.173.53.167/20. This allows all public IP addresses within the IP range to reach the public load balancer. For example:

Configuration information for inbound rules of public load balancers from a specific CIDR
Protocol Source Type Source Value
TCP IP Address 209.173.53.167/20 Listener port

Outbound rules

Ensure that your targets are in a security group and configured as the destination in the outbound rules. Using a nested security group allows your NLB to allow only outbound traffic to the target and health check ports.

Configuration information for outbound rules of load balancers
Protocol Destination type Destination Value
TCP Security group target target port
TCP Security group target Health check port

You can configure the outbound rules to be more permissive than shown (for example, you can allow all traffic to any destination). However, this is not recommended for security reasons.

Private Network Load Balancer

Inbound rules

Configuration information for inbound rules for private load balancers
Protocol Source type Source Value
TCP IP address Subnet CIDR or VPC security group Listener port

It's a common practice to limit the inbound rules for a private load balancer to your own workload. Ensure that you specify the source from a specific subnet CIDR, or a security group that the source devices belong to. Using a specific CIDR, or nested security group, is preferred; however, individual IP addresses also work.

A nested security group is an option only when clients are in the same VPC. If the clients are in a different VPC (or on-prem and connected to the load balancer’s VPC through Transit Gateway or Direct Link) you must identify the clients using IP addresses or CIDRs.

Outbound rules

Configuration information for outbound rules for private load balancers
Protocol Destination type Destination Value
TCP Security group Target security group Target port
TCP Security group Target security group Health check port(if different from the target port)

Ensure that your targets are in a security group and configured as the destination in your outbound rules. Using a nested security group enables your NLB to allow only outbound traffic to the target and health check ports. Using a nested security group enables your NLB to allow only outbound traffic to the target and health check ports.

In addition, your targets must have connectivity to the DNS resolver in order to resolve your load balancer's name. This is because load balancers are accessed through their DNS name.

Attaching a security group during load balancer provisioning

You can attach up to five security groups when creating a network load balancer. If you do not specify a security group during load balancer creation, the default security group for your VPC is used.

If you do not select at least one security group, you should update your default security group rules to minimize traffic disruption on newly created network load balancers.

Prerequisite: Configure security groups and rules

Ensure that you've created the security groups that you want to attach to your NLB. Also make sure that their rules are configured for load balancer traffic. If you need to create a security group, perform the following procedure.

Alternatively, you can use the IBM Cloud VPC API to create a security group.

To create a security group using the UI:

  1. From your browser, open the IBM Cloud console and log in to your account.

  2. Select the Navigation Menu Navigation Menu icon, then click Infrastructure > Network > Security groups.

  3. Click Create.

  4. Provide a unique name for your security group.

  5. Select the VPC for your security group. The security group must be created in the same VPC as the load balancer.

  6. Click Add to configure inbound and outbound rules that define what type of traffic is allowed to and from the security group. For each rule, complete the following information:

    • Specify a CIDR block or IP address for the permitted traffic. Alternatively, you can specify a security group in the same VPC to allow traffic to or from all sources that are attached to the selected security group.
    • Select the protocols and ports to which the rule applies. For best practices about network rules, see Network traffic rules.

    Tips:

    • All rules are evaluated, regardless of the order in which they are added.
    • Rules are stateful, which means that return traffic in response to allowed traffic is automatically permitted. For example, if you create a rule that allows inbound TCP traffic on port 80, that rule also allows replying outbound TCP traffic on port 80 back to the originating host, without the need for another rule.

  7. Optional: Edit the interfaces if you're planning to apply this security group to your other instances. Attaching security groups is performed in the load balancer section.

  8. Click Create security group after you finish creating rules.

Security group example

For example, configure the following inbound rules, which allow all traffic on port 80 for a TCP listener (TCP port 80).

Example configuration information for inbound rules
Protocol Source type Source Value
TCP Any 0.0.0.0/0 Port 80

Then, configure outbound rules that allow TCP traffic to your target:

Example configuration information for outbound rules
Protocol Destination type Destination Value
TCP Any 10.11.12.13/32 (Target IP address) 80 (Target port)
TCP Any 10.11.12.14/32 (Target IP address) 80 (Target health check port)

Procedure: Attaching security groups during NLB creation

To attach security groups when creating your network load balancer, follow these steps:

  1. From your browser, open the IBM Cloud console and log in to your account.
  2. Select the Navigation Menu Navigation Menu icon, then click Infrastructure > Network > Load balancers.
  3. Click Create.
  4. Configure the name, VPC, type, subnet, listeners, and pools as needed.
  5. Select the check boxes of the security groups that you want to attach from the security group table.
  6. Click Create to provision the load balancer.

Make sure your security group rules allow for load balancer traffic. Ensure your listener, pool, and health check ports are allowed in your security group.

Attaching and detaching security groups

To attach a security group to an existing load balancer, follow these steps:

Load balancers created prior to 07 August 2023 do not have a security group attached and allow all inbound and outbound traffic. If you attach a security group to a load balancer that does not have one, you can never remove it. You can revert to the previous "allow all inbound and outbound traffic" behavior by attaching a security group with rules for allowing all inbound and outbound traffic. However, this rule is inherently insecure and is not recommended.

  1. From your browser, open the IBM Cloud console and log in to your account.
  2. Select the Navigation Menu Navigation Menu icon, then click Infrastructure > Network > Load balancers.
  3. From the list of load balancers, select the load balancer to view its details page.
  4. Click the Attached security groups tab to view attached security groups.
  5. To attach one or more security groups, click Attach. You can select a maximum of five security groups to attach to your NLB.
  6. Select the security group to attach.
  7. Click Attach.

To detach a security group from a load balancer, follow these steps:

  1. From your browser, open the IBM Cloud console and log in to your account.
  2. Select the Navigation Menu Navigation Menu icon, then click Infrastructure > Network > Load balancers.
  3. From the list of load balancers, select the load balancer to view its details page.
  4. Click the Attached security groups tab to view attached security groups.
  5. To detach a security group, click the security group's Action menu Actions icon.
  6. Click Detach.