About Security Groups in LBU

The network relationship between a load balancer and its back-end instances is based on flow controls performed by security groups that you must configure to use a load balancer, either internal or Internet-facing.

General Information About Security Groups for Load Balancers

The configuration of security groups for load balancers and back-end instances depends on the type of platform in which the load balancer is (public Cloud or Virtual Private Cloud).

All the security groups of your load balancers and back-end instances must allow inbound flows in TCP protocol on the port you want (port 80 if you want to use HTTP protocol).

Back-end instances of a same load balancer can use the same security group, or you can use separate security groups for each back-end instance. Each instance can use one or more security groups, and can therefore receive flows coming from both the load balancer and another source (for example another instance or the Internet).

Once a load balancer is associated with a security group, you cannot disassociate them and associate the load balancer with another security group. However, you can modify the rules of this security group at any time.

Security Groups Configuration for Load Balancers in the Public Cloud

In this architecture, the load balancer receives inbound flows coming from the Internet and sends outbound flows to back-end instances in the public Cloud. You only need to specify rules for inbound flows (source) for security groups in the public Cloud.

The security group of the load balancer is automatically created and configured (outscale-elb-sg). You only need to configure a listener for the load balancer to receive requests in a specified protocol and on a specified port.

This security group is owned by 3DS OUTSCALE and enables you to configure the security groups of back-end instances. You cannot modify or perform any action on it, and it therefore does not appear in Cockpit, but is visible with the APIs.

The security groups of back-end instances must allow inbound flows coming from the security group of the load balancer. The name of this security group that you need to specify is outscale-elb-sg. As this security group belongs to 3DS OUTSCALE and not to your account, you also need to specify outscale-elb as the security group owner.

Security Groups Configuration for Load Balancers in a VPC

In a VPC, the configuration of security groups depends on your architecture, that is whether flows go from a load balancer to back-end instances or from one or more instances to a load balancer.

Unlike the public Cloud, no security group is automatically associated with a load balancer created in a VPC. Therefore, you must create a security group to associate with any load balancer you create in a VPC and configure it with proper rules.

In a VPC, you must specify rules for both inbound flows (source) and outbound flows (destination).

Configuration for Internet-facing Load Balancers in a VPC

In this architecture, the load balancer receives inbound flows coming from the Internet and sends outbound flows to back-end instances in a VPC.

The security group of the load balancer must:

  • Allow inbound flows coming from the Internet

  • Allow outbound flows going to the security groups of back-end instances

If you use different security groups for your back-end instances, you must specify all of them in the outbound flows rules.

The security groups of back-end instances must:

  • Allow inbound flows coming from the security group of the load balancer

  • (optional) Allow outbound flows going to any resource you need.

Configuration for Internal Load Balancers

In this architecture, the load balancer receives inbound flows coming from one or more instances of the VPC and sends outbound flows to back-end instances.

The security group of the load balancer must:

  • Allow inbound flows coming from the security groups of the instances that send it requests

  • Allow outbound flows going to the security groups of back-end instances

If you use different security groups for your back-end instances, you must specify all of them in the outbound flows rules.

The security groups of back-end instances must:

  • Allow inbound flows coming from the security group of the load balancer

  • (optional) Allow outbound flows going to any resource you need

Related Pages