vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/elb/umn/elb_ug_hd_0002.html
zhoumeng 58b2c5fa4f elb_umn_20230303 
Reviewed-by: Hajba, László Antal <laszlo-antal.hajba@t-systems.com>
Co-authored-by: zhoumeng <zhoumeng35@huawei.com>
Co-committed-by: zhoumeng <zhoumeng35@huawei.com>
2023-03-03 16:05:26 +00:00

10 KiB
Raw Blame History

Configuring Security Group Rules for Backend Servers (Shared Load Balancers)

Scenarios

Before you add servers to a backend server group, ensure that their security groups have inbound rules that allow traffic from 100.125.0.0/16, and specify the health check protocol and port. Otherwise, health checks will be affected, and backend servers cannot receive requests from the load balancer. If UDP is used for health checks, inbound security group rules must also allow the ICMP traffic.

If you have no VPCs when creating a server, the system will automatically create a VPC with default security rules. Default security group rules allow only communications among the servers in the VPC. You also need to configure inbound rules to enable the load balancer to communicate with these servers over the frontend port and health check port.

If Transfer Client IP Address is enabled for the TCP or UDP listener, security group rules and network ACL rules will not take effect. To control traffic to backend servers, you can use access control to limit which IP addresses are allowed to access the listener. Learn how to configure access control.

Procedure

  1. Log in to the management console.
  2. In the upper left corner of the page, click and select the desired region and project.
  3. Hover on in the upper left corner to display Service List and choose Computing > Elastic Cloud Server.
  4. In the ECS list, locate the ECS and click its name.

    The ECS details page is displayed.

  5. Click Security Groups, locate the security group, and view security group rules.
  6. Click the security group rule ID or Modify Security Group Rule.

    The security group details page is displayed.

  7. Under Inbound Rules, click Add Rule.
    • TCP, HTTP, or HTTPS listeners
      • If the health check port is not the one used by each backend server, add inbound rules to allow TCP traffic over the health check port and the ports used by backend servers.
      • If you do not specify a health check port, add inbound rules to allow TCP traffic over the ports used by backend servers.
      • The inbound rules must also allow access from 100.125.0.0/16. Otherwise, health checks will fail.
    • UDP listeners
      • If the health check port is not the one used by each backend server, add inbound rules to allow UDP traffic over the health check port and the ports used by backend servers.
      • If you do not specify a health check port, add inbound rules to allow UDP traffic over the ports used by backend servers.
      • The inbound rules must also allow access from 100.125.0.0/16. Otherwise, health checks will fail.
      • You need also to add an inbound rule to allow ICMP traffic.
  8. Click OK.

Configuring Firewall Rules

To control traffic in and out of a subnet, you can associate a firewall with the subnet. Similar to security groups, firewalls control access to subnets and add an additional layer of defense to your subnets. Default firewall rules reject all inbound and outbound traffic. If the subnet of a load balancer or associated backend servers has a firewall associated, the load balancer cannot receive traffic from the Internet or route traffic to backend servers, and backend servers cannot receive traffic from and respond to the load balancer.

Configure an inbound firewall rule to permit access from 100.125.0.0/16.

ELB translates public IP addresses that access backend servers into IP addresses in 100.125.0.0/16. You cannot configure firewall rules to prevent public IP addresses from accessing backend servers to allow traffic from 100.125.0.0/16 to all backend servers.

  1. Log in to the management console.
  2. In the upper left corner of the page, click and select the desired region and project.
  3. Click in the upper left corner of the page and choose Network > Virtual Private Cloud.
  4. In the navigation pane on the left, choose Access Control > Firewall.
  5. In the firewall list, click the name of the firewall to switch to the page showing its details.
  6. On the Inbound Rules or Outbound Rules tab page, click Add Rule to add a rule.
    • Action: Select Allow.
    • Protocol: The protocol must be the same as the one you selected for the listener.
    • Source: Set it to 100.125.0.0/16.
    • Source Port Range: Select a port range.
    • Destination: If you keep the default value, 0.0.0.0/0, traffic will be allowed for all destination IP addresses.
    • Destination Port Range: Select a port range.
    • (Optional) Description: Describe the firewall rule.
  7. Click OK.
Parent topic: Backend Server