How do I attach a security group to my Elastic Load Balancing load balancer?

3 minute read
0

I want to configure and attach a security group to my Elastic Load Balancing load balancer.

Resolution

If you use a Classic Load Balancer, then see Manage security groups using the console or Manage security groups using the AWS Command Line Interface (AWS CLI).

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

If you use an Application Load Balancer, then see Security groups for your Application Load Balancer.

If you use a Network Load Balancer, then you can associate a security group when you create the Network Load Balancer.

If your target type is an IP address, then the client IP preservation setting is turned off. The target sees the load balancer's private IP address as the source IP address for health checks and user traffic. It's a best practice to allowlist the load balancer's private IP addresses or the load balancer's security group on the target's security group.

Note: Review your client IP preservation setting and target security groups. If the setting is off and the target allowlists the load balancer's private IP addresses or security groups, then all incoming traffic can access your service. If your service's access is restricted to specific CIDR ranges, then use a Network Load Balancer. Make sure that you create the load balancer with security groups, and allow only the required clients' CIDR.

If your target type is an instance and the group protocol is TCP/ TLS/ UDP/TCP_UDP, then the client IP address is preserved by default. If you create the Network Load Balancer without security groups, then it's a best practice to allowlist client IP addresses on your target security group. For a Network Load Balancer with security groups, you can control client access at the load balancer's security group.

To change the default client IP preservation setting for the TCP/TLS target group, set the preserve_client_ip.enabled target group attribute. You can't change the behavior for UDP/TCP_UDP protocol target groups. The behavior is always turned on.

Note: Associate at least one security group with each Classic or Application Load Balancer. The security group must allow connections between the load balancer and the associated backend instances. For Network Load Balancers, you don't need to select security groups when you create the load balancer. However, if you create the Network Load Balancer without a security group, then you can't associate a security group later.

Related information

Monitor your Classic Load Balancer

Monitor your Application Load Balancers

AWS OFFICIAL
AWS OFFICIALUpdated 6 months ago