zhoumeng
3a55e4d067
Reviewed-by: Hajba, László Antal <laszlo-antal.hajba@t-systems.com> Co-authored-by: zhoumeng <zhoumeng35@huawei.com> Co-committed-by: zhoumeng <zhoumeng35@huawei.com>
13 KiB
Configuring Security Group Rules for Backend Servers (Dedicated Load Balancers)
Scenarios
When you add a backend server to a backend server group, ensure that the rules of the security group that containing the backend server allows access from the VPC where the backend server resides, and that the destination port is that used by the backend server. You also need to configure the protocol and port used for health checks. If you use UDP for health checks, configure inbound rules to allow ICMP traffic. Otherwise, health checks cannot be performed on the added backend server.
If you have no VPCs when creating a server, the system will automatically create a VPC with default security rules. Default security group rules allow only communications among the servers in the VPC. You also need to configure inbound rules to enable the load balancer to communicate with these servers over the frontend port and health check port.
If the load balancer has a TCP or UDP listener and IP as a backend is disabled, security group rules and firewall rules will not take effect. To control traffic to backend servers, you can use access control to limit which IP addresses are allowed to access the listener. Learn how to configure access control.
Procedure
- Log in to the management console.
- In the upper left corner of the page, click
and select the desired region and project. - Hover on
in the upper left corner to display Service List and choose Computing > Elastic Cloud Server. - In the ECS list, locate the ECS and click its name.
- Click Security Groups, locate the security group, and view security group rules.
- Click the security group rule ID or Modify Security Group Rule. The security group details page is displayed.
- On the Inbound Rules tab page, click Add Rule. Configure an inbound rule based on Table 1.
Table 1 Security group rules Backend Protocol
Policy
Protocol & Port
Source IP Address
HTTP or HTTPS
Allow
Protocol: TCP
Port: the port used by the backend server and health check port
Backend subnet of the load balancer
TCP
Allow
Protocol: TCP
Port: health check port
UDP
Allow
Protocol: UDP and ICMP
Port: health check port
- Click OK.
Configuring Firewall Rules
To control traffic in and out of a subnet, you can associate a firewall with the subnet. Similar to security groups, firewall rules control access to subnets and add an additional layer of defense to your subnets. Default firewall rules reject all inbound and outbound traffic. If the subnet of a load balancer or associated backend servers has a firewall associated, the load balancer cannot receive traffic from the Internet or route traffic to backend servers, and backend servers cannot receive traffic from and respond to the load balancer.
Configure an inbound firewall rule to allow traffic from the VPC where the load balancer works to backend servers.
- Log in to the management console.
- In the upper left corner of the page, click and select the desired region and project.
- Click
in the upper left corner of the page and choose Network > Virtual Private Cloud. - In the navigation pane on the left, choose Access Control > Firewall.
- In the firewall list, click the name of the firewall to switch to the page showing its details.
- On the Inbound Rules or Outbound Rules tab page, click Add Rule to add a rule.
- Action: Select Allow.
- Protocol: The protocol must be the same as the one you selected for the listener.
- Source: Set it to the VPC CIDR block.
- Source Port Range: Select a port range.
- Destination: If you keep the default value, 0.0.0.0/0, traffic will be allowed for all destination IP addresses.
- Destination Port Range: Select a port range.
- (Optional) Description: Describe the firewall rule.
- Click OK.