Configure ALB security groups with AlbConfig

更新时间:
复制 MD 格式

Attach security groups to ALB instances via AlbConfig to manage ALB traffic securely, with related security policies and configuration guidance.

Prerequisites

Make sure you have:

Note

If you use an ACK dedicated cluster with ALB Ingress, authorize the cluster to access the ALB Ingress Controller add-on before you deploy services.

Add security groups to the AlbConfig

Step 1: Get the security group ID

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Network & Security > Security Groups.

  3. In the top navigation bar, select the resource group and region.

  4. Copy the security group ID.

Step 2: Add security groups to the AlbConfig

Add the securityGroupIds field under spec.config in your AlbConfig manifest. Specify security group IDs based on your quota and security group type.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    name: alb-test
    addressType: Intranet
    zoneMappings:
    - vSwitchId: vsw-uf6k2yoy*************
    - vSwitchId: vsw-uf6pv7wg*************
    securityGroupIds:                        # Security group IDs
      - sg-uf6blkp8************             # First security group
      - sg-djladhla************             # Second security group
    addressAllocatedMode: Fixed
  listeners:
    - port: 80
      protocol: HTTP

Field

Type

Description

securityGroupIds

String array

Security group IDs to attach to the ALB instance. Must be in the same VPC and of the same type (all basic or all advanced).

Apply the AlbConfig:

kubectl apply -f albconfig.yaml

Step 3: Verify the configuration

Check the AlbConfig:

kubectl get albconfig alb -o yaml

Verify that the output includes the security group IDs under spec.config.securityGroupIds.

Constraints and behavior

ALB instance requirements

Important

Upgraded ALB instances support both security groups and ACLs. Non-upgraded instances support only ACLs. New instances are upgraded by default. To upgrade existing instances, contact your account manager.

Security group and ACL mutual exclusion

Security groups and ACLs cannot coexist on the same ALB instance. To switch between them:

  1. Remove the current configuration (security group or ACL) from the AlbConfig.

  2. Save the AlbConfig and wait for the change to take effect.

  3. Add the new configuration.

Supported security group types

ALB supports basic security groups and advanced security groups. Managed security groups are not supported. See Basic security groups and advanced security groups.

Constraint

Description

Same VPC

The security group and ALB instance must be in the same VPC.

Same type

All security groups on an ALB instance must be the same type. To switch types, remove the instance from all existing security groups first.

Quota: security groups

Maximum security groups per ALB instance = Security group quota for all backend Elastic Compute Service (ECS) instances or elastic network interfaces (ENIs) minus 1 (reserved for the managed security group).

Quota: rules

Maximum effective rules per ALB instance = Security group rule quota for all backend ECS instances or ENIs minus the number of rules in the ALB managed security group.

Update behavior

When you modify the securityGroupIds list, the controller binds new security groups before unbinding removed ones. For example, changing from sg-1, sg-2, sg-3 to sg-3, sg-4, sg-5 adds sg-4 and sg-5 before removing sg-1 and sg-2.

Limit changes per update to stay within quota.

Default traffic behavior

After an ALB instance joins a security group without Deny rules, all listener ports allow all traffic by default. To restrict access to specific IP addresses, add a Deny rule. Do not configure outbound Deny rules in security groups for ALB instances to avoid service interruptions. See Scenarios.

Backend service connectivity

Configure security policies for nodes, ENIs, and pods in the ACK cluster to allow ALB traffic. In backend security group rules, allow the CIDR block of the ALB instance's vSwitch to maintain service connectivity.