Dieser Inhalt ist in der ausgewählten Sprache nicht verfügbar

Wir arbeiten ständig daran, Inhalte in der ausgewählten Sprache bereitzustellen. Vielen Dank für deine Geduld.

How do I attach a security group to my Elastic Load Balancer?

Lesedauer: 3 Minute

How do I configure and attach a security group to my Elastic Load Balancing (ELB) load balancer?

Resolution

If you're using a Classic Load Balancer, follow instructions at Manage security groups using the console or Manage security groups using the AWS CLI.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

If you're using an Application Load Balancer, follow the instructions at Security groups for your Application Load Balancer.

If you're using a Network Load Balancer, update the security groups for your target instances because Network Load Balancers don't have associated security groups.

If your target type is an IP and the target group protocol is TCP/TLS/UDP/TCP_UDP - TCP/TLS, then the protocol defaults to load balancer private IP as the source IP. This means that it's a best practice to allowlist load balancer private IPs on your target security group. UDP/TCP_UDP defaults to preserve client IP addresses. This means that it's a best practice to allowlist client IPs in the target security group.

Note: If preserve client IP isn't activated and the target security groups are allow-listing load balancer private IPs, then you are allowing all incoming traffic to access your service. If your service is designed to be access-restricted to specific CIDR ranges, then use network access control list (network ACL) to allow-list specific CIDRs and deny the rest. Or, you can activate client IP preservation and set up restrictions on the target security group as discussed later.

If your target type is an instance and the target group protocol is TCP/ TLS/ UDP/TCP_UDP, then the default behavior of the Network Load Balancer is to preserve the client IP address. If the client IP preservation setting remains at the default value, then it's a best practice to allowlist client IP addresses on your target security group.

As needed, you can change the default client IP preservation behavior for TCP/TLS target groups by setting a target group attribute "preserve_client_ip.enabled." It's not possible to change this behavior for UDP/TCP_UDP protocol target groups. Depending on whether client IP preservation is active or not active (based on your configuration choices), it's a best practice to adjust the IP CIDRs allow-listed on the target security groups. If the client IP preservation is activated, then it's a best practice to allowlist client IP addresses. If it's not active, then it's a best practice to allowlist load balancer private IP addresses. For more information on client IP preservation behavior of the Network Load Balancer, see Target groups for your Network Load Balancers.

Note: Make sure that you associate at least one security group with each Classic or Application Load Balancer, and that the security group allows connections between the load balancer and associated backend instances.

Related information

Monitor your Classic Load Balancer

Monitor your Application Load Balancers

Themen

Vernetzung & Bereitstellung von Inhalten

Relevanter Inhalt

Wie behebe ich 504-Fehler, die bei der Verwendung eines Application Load Balancer auftreten?
AWS OFFICIALAktualisiert vor einem Jahr
Wie migriere ich von Classic Load Balancer zu Application Load Balancer oder Network Load Balancer?
AWS OFFICIALAktualisiert vor 4 Monaten
Ich benötige eine statische IP-Adresse für meinen Application Load Balancer. Wie kann ich einen Application Load Balancer hinter einem Network Load Balancer registrieren?
AWS OFFICIALAktualisiert vor 7 Monaten
Wie behebe ich 503-Fehler (Service nicht verfügbar) von meinem Application Load Balancer?
AWS OFFICIALAktualisiert vor einem Jahr