Configuring Security Group and Firewall Rules

Constraints and Limitations

• If health check is enabled for a backend server group, security group rules must allow traffic from the health check port over the health check protocol.
• If UDP is used for health check, there must be a rule that allows ICMP traffic. If there is no such rule, the health of the backend servers cannot be checked.

Configuring Security Group Rules

If you have no VPCs when creating a server, a default VPC will be created for you. Default security group rules allow only communications among the servers in the VPC. To ensure that the load balancer can communicate with these servers over both the frontend port and health check port, configure inbound rules for security groups containing these servers.

1. Log in to the management console.
2. In the upper left corner of the page, click and select the desired region and project.
3. Click in the upper left corner to display Service List and choose Computing > Elastic Cloud Server.
4. In the ECS list, click the name of the ECS whose security group rules you want to modify.

   The ECS details page is displayed.

5. Click Security Groups, locate the security group, and view security group rules.
6. Click the ID of a security group rule or Modify Security Group Rule. The security group details page is displayed.
7. On the Inbound Rules tab page, click Add Rule. Configure an inbound rule based on Table 1.

   Table 1 Security group rules

   Backend Protocol	Policy	Protocol & Port	Source IP Address
   HTTP	Allow	Protocol: TCP Port: the port used by the backend server and the health check port	100.125.0.0/16
   TCP	Allow	Protocol: TCP Port: health check port	100.125.0.0/16
   UDP	Allow	Protocol: UDP and ICMP Port: health check port	100.125.0.0/16

8. Click OK.

Configuring Firewall Rules

To control traffic in and out of a subnet, you can associate a firewall with the subnet. Firewall rules control access to subnets and add an additional layer of defense to your subnets. Default firewall rules reject all inbound and outbound traffic. If the subnet of a load balancer or associated backend servers has a firewall associated, the load balancer cannot receive traffic from the Internet or route traffic to backend servers, and backend servers cannot receive traffic from and respond to the load balancer.

You can configure an inbound firewall rule to permit access from 100.125.0.0/16.

ELB translates the public IP addresses used to access backend servers into private IP addresses in 100.125.0.0/16. You cannot configure firewall rules to prevent public IP addresses from accessing backend servers.

1. Log in to the management console.
2. In the upper left corner of the page, click and select the desired region and project.
3. Click in the upper left corner to display Service List and choose Network > Virtual Private Cloud.
4. In the navigation pane on the left, choose Access Control > Firewalls.
5. In the firewall list, click the name of the firewall to switch to the page showing its details.
6. On the Inbound Rules or Outbound Rules tab page, click Add Rule to add an inbound or outbound rule.
   • Type: Select the IP address type supported by the rule. The value can be IPv4 or IPv6.
   • Action: Select Allow.
   • Protocol: The protocol must be the same as the backend protocol.
   • Source: Set it to 100.125.0.0/16.
   • Source Port Range: Select a port range based on the service requirements.
   • Destination: Enter a destination address allowed in this direction. The default value is 0.0.0.0/0, which indicates that traffic from all IP addresses is permitted.
   • Destination Port Range: Select a port range based on the service requirements.
   • (Optional) Description: Describe the firewall rule if necessary.
7. Click OK.