NLB support for security groups provides new capabilities to help keep your workloads secure. With this launch, cloud administrators and security teams can enforce security group inbound rules, even when the load balancer converts IPv6 traffic to IPv4 or when the targets are in peered VPCs. Additionally, using security group referencing, application owners can restrict access to resources, ensuring that clients access them only through the load balancer. This can help prevent imbalanced load distribution due to direct client access.
If you are using Kubernetes, you can enable security groups on your NLB by using AWS Load Balancer controller version 2.6.0 or later. Enabling NLB security groups using the controller enhances the nodes' security, as inbound rules can be simplified by referencing the NLB security groups. It also provides scaling improvements, as the controller keeps a constant number of security group rules per cluster.
Considerations
You can associate security groups with a Network Load Balancer when you create it. If you create a Network Load Balancer without associating any security groups, you can't associate them with the load balancer later on. We recommend that you associate a security group with your load balancer when you create it.
After you create a Network Load Balancer with associated security groups, you can change the security groups associated with the load balancer at any time.
Health checks are subject to outbound rules, but not inbound rules. You must ensure that outbound rules don't block health check traffic. Otherwise, the load balancer considers the targets unhealthy.
You can control whether PrivateLink traffic is subject to inbound rules. If you enable inbound rules on PrivateLink traffic, the source of the traffic is the private IP address of the client, not the endpoint interface.
Update the associated security groups
If you associated at least one security group with a load balancer when you created it, you can update the security groups for that load balancer at any time.
To update security groups using the console
- Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. On the navigation pane, under Load Balancing, choose Load Balancers.
3. Select the load balancer.
4. On the Security tab, choose Edit.
5. To associate a security group with your load balancer, select it. To remove a security group from your load balancer, clear it.
6. Choose Save changes.
Monitor load balancer security groups
Use the SecurityGroupBlockedFlowCount_Inbound and SecurityGroupBlockedFlowCount_Outbound CloudWatch metrics to monitor the count of flows that are blocked by the load balancer security groups. Blocked traffic is not reflected in other metrics. For more information, see CloudWatch metrics for your Network Load Balancer.
Top comments (0)