How do I attach a security group to my Elastic Load Balancer?

Last updated: 2022-08-03

If you're using a Classic Load Balancer, follow instructions at Manage security groups using the console or Manage security groups using the AWS CLI.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

If you're using an Application Load Balancer, follow the instructions at Security groups for your Application Load Balancer.

If you're using a Network Load Balancer, update the security groups for your target instances because Network Load Balancers don't have associated security groups.

• If your target type is an IP and the target group protocol is TCP/TLS/UDP/TCP_UDP - TCP/TLS, then the protocol defaults to load balancer private IP as the source IP. This means that it's a best practice to allowlist load balancer private IPs on your target security group. UDP/TCP_UDP defaults to preserve client IP addresses. This means that it's a best practice to allowlist client IPs in the target security group.

  Note: If preserve client IP isn't activated and the target security groups are allow-listing load balancer private IPs, then you are allowing all incoming traffic to access your service. If your service is designed to be access-restricted to specific CIDR ranges, then use network access control list (network ACL) to allow-list specific CIDRs and deny the rest. Or, you can active client IP preservation and set up restrictions on the target security group as discussed later.

• If your target type is an instance and the target group protocol is TCP/ TLS/ UDP/TCP_UDP, then the default behavior of the Network Load Balancer is to preserve the client IP address. If the client IP preservation setting remains at the default value, then it's a best practice to allowlist client IP addresses on your target security group.

As needed, you can change the default client IP preservation behavior for TCP/TLS target groups by setting a target group attribute "preserve_client_ip.enabled." It's not possible to change this behavior for UDP/TCP_UDP protocol target groups. Depending on whether client IP preservation is active or not active (based on your configuration choices), it's a best practice to adjust the IP CIDRs allow-listed on the target security groups. If the client IP preservation is activated, then it's a best practice to allowlist client IP addresses. If it's not active, then it's a best practice to allowlist load balancer private IP addresses. For more information on client IP preservation behavior of the Network Load Balancer, see Target groups for your Network Load Balancers.

Note: Make sure that you associate at least one security group with each Classic or Application Load Balancer, and that the security group allows connections between the load balancer and associated backend instances.