About Security Groups in LBU

The network relationship between a load balancer and its back-end virtual machines (VMs) is based on flow controls performed by security groups that you must configure to use a load balancer, either internal or Internet-facing.

General Information About Security Groups for Load Balancers

The configuration of security groups for load balancers and back-end VMs depends on the type of platform in which the load balancer is (public Cloud or Net).

All the security groups of your load balancers and back-end VMs must allow inbound flows in TCP protocol on the port you want (port 80 if you want to use HTTP protocol).

Back-end VMs of a same load balancer can use the same security group, or you can use separate security groups for each back-end VM. Each VM can use one or more security groups, and can therefore receive flows coming from both the load balancer and another source (for example another VM or the Internet).

Once a load balancer is associated with a security group, you cannot disassociate them and associate the load balancer with another security group. However, you can modify the rules of this security group at any time.

Security Groups Configuration for Load Balancers in the Public Cloud

In this architecture, the load balancer receives inbound flows coming from the Internet and sends outbound flows to back-end VMs in the public Cloud. You only need to specify rules for inbound flows (source) for security groups in the public Cloud.

The security group of the load balancer is automatically created and configured (outscale-elb-sg). You only need to configure a listener for the load balancer to receive requests in a specified protocol and on a specified port.

This security group is owned by 3DS OUTSCALE and enables you to configure the security groups of back-end VMs. You cannot modify or perform any action on it, and it therefore does not appear in Cockpit, but is visible with the APIs.

The security groups of back-end VMs must allow inbound flows coming from the security group of the load balancer. The name of this security group that you need to specify is outscale-elb-sg. As this security group belongs to 3DS OUTSCALE and not to your account, you also need to specify outscale-elb as the security group owner.

Security Groups Configuration for Load Balancers in a Net

In a Net, the configuration of security groups depends on your architecture, that is whether flows go from a load balancer to back-end VMs or from one or more VMs to a load balancer.

Unlike the public Cloud, no security group is automatically associated with a load balancer created in a Net. Therefore, you must create a security group to associate with any load balancer you create in a Net and configure it with proper rules.

In a Net, you must specify rules for both inbound flows (source) and outbound flows (destination).

Configuration for Internet-facing Load Balancers in a Net

In this architecture, the load balancer receives inbound flows coming from the Internet and sends outbound flows to back-end VMs in a Net.

The security group of the load balancer must:

  • Allow inbound flows coming from the Internet

  • Allow outbound flows going to the security groups of back-end VMs

If you use different security groups for your back-end VMs, you must specify all of them in the outbound flows rules.

The security groups of back-end VMs must:

  • Allow inbound flows coming from the security group of the load balancer

  • (optional) Allow outbound flows going to any resource you need.

Configuration for Internal Load Balancers

In this architecture, the load balancer receives inbound flows coming from one or more VMs of the Net and sends outbound flows to back-end VMs.

The security group of the load balancer must:

  • Allow inbound flows coming from the security groups of the VMs that send it requests

  • Allow outbound flows going to the security groups of back-end VMs

If you use different security groups for your back-end VMs, you must specify all of them in the outbound flows rules.

The security groups of back-end VMs must:

  • Allow inbound flows coming from the security group of the load balancer

  • (optional) Allow outbound flows going to any resource you need

Related Pages