About Security Groups in LBU

The network relationship between a load balancer and its backend virtual machines (VMs) is based on flow controls performed by security groups that you must configure to use a load balancer, either internal or Internet-facing.

General Information About Security Groups for Load Balancers

The configuration of security groups for load balancers and backend VMs depends on the type of platform in which the load balancer is (public Cloud or Net).

All the security groups of your load balancers and backend VMs must allow inbound flows in TCP protocol on the port you want (port 80 if you want to use HTTP protocol).

Backend VMs of a same load balancer can use the same security group, or you can use separate security groups for each backend VM. Each VM can use one or more security groups, and can therefore receive flows coming from both the load balancer and another source (for example another VM or the Internet).

You can modify the security groups associated with a load balancer at any time. For more information, see Modifying the Attributes of a Load Balancer.

Security Groups Configuration for Load Balancers in the Public Cloud

In this architecture, the load balancer receives inbound flows coming from the Internet and sends outbound flows to backend VMs in the public Cloud. You only need to specify rules for inbound flows (source) for security groups in the public Cloud.

The security group of the load balancer is automatically created and configured (outscale-elb-sg). You only need to configure a listener for the load balancer to receive requests in a specified protocol and on a specified port.

This security group is owned by 3DS OUTSCALE and enables you to configure the security groups of backend VMs. You cannot modify or perform any action on it, and it therefore does not appear in Cockpit, but is visible with the APIs.

The security groups of backend VMs must allow inbound flows coming from the security group of the load balancer. The name of this security group that you need to specify is outscale-elb-sg. As this security group belongs to 3DS OUTSCALE and not to your account, you also need to specify outscale-elb as the security group owner.

Security Groups Configuration for Load Balancers in a Net

In a Net, the configuration of security groups depends on your architecture, that is whether flows go from a load balancer to backend VMs or from one or more VMs to a load balancer.

Unlike the public Cloud, no security group is automatically associated with a load balancer created in a Net. Therefore, you must create a security group to associate with any load balancer you create in a Net and configure it with proper rules.

In a Net, you must specify rules for both inbound flows (source) and outbound flows (destination).

Configuration for Internet-facing Load Balancers in a Net

In this architecture, the load balancer receives inbound flows coming from the Internet and sends outbound flows to backend VMs in a Net.

The security group of the load balancer must:

  • Allow inbound flows coming from the Internet

  • Allow outbound flows going to the security groups of backend VMs

If you use different security groups for your backend VMs, you must specify all of them in the outbound flows rules.

The security groups of backend VMs must:

  • Allow inbound flows coming from the security group of the load balancer

  • (optional) Allow outbound flows going to any resource you need.

Configuration for Internal Load Balancers

In this architecture, the load balancer receives inbound flows coming from one or more VMs of the Net and sends outbound flows to backend VMs.

The security group of the load balancer must:

  • Allow inbound flows coming from the security groups of the VMs that send it requests

  • Allow outbound flows going to the security groups of backend VMs

If you use different security groups for your backend VMs, you must specify all of them in the outbound flows rules.

The security groups of backend VMs must:

  • Allow inbound flows coming from the security group of the load balancer

  • (optional) Allow outbound flows going to any resource you need

Related Pages