Posted On: Aug 10, 2023

Amazon Network Load Balancers (NLB) now supports security groups, enabling you to filter the traffic that your NLB accepts and forwards to your application. Using security groups, you can configure rules to help ensure that your NLB only accepts traffic from trusted IP addresses, and centrally enforce access control policies. This improves your application's security posture and simplifies operations.

NLB support for security groups provides new capabilities to help keep your workloads secure. With this launch, cloud administrators and security teams can enforce security group inbound rules, even when the load balancer converts IPv6 traffic to IPv4 or when the targets are in peered VPCs. Additionally, using security group referencing, application owners can restrict access to resources, ensuring that clients access them only through the load balancer. This can help prevent imbalanced load distribution due to direct client access.

To get started, create a new NLB with security groups using the ELB API or the Amazon Web Services Management console. After creation, you can change the security groups attached to your NLB, and use Cloudwatch metrics and VPC Flow Logs to capture detailed information about the traffic rejected by your security group rules.

If you are using Kubernetes, you can enable security groups on your NLB by using Amazon Load Balancer controller version 2.6.0 or later. Enabling NLB security groups using the controller enhances the nodes' security, as inbound rules can be simplified by referencing the NLB security groups. It also provides scaling improvements, as the controller keeps a constant number of security group rules per cluster.

Amazon Network Load Balancer Security Groups support is available in both Amazon Web Services China (Beijing) Region, operated by Sinnet, and Amazon Web Services China (Ningxia) Region, operated by NWCD. To learn more, please visit the NLB documentation page.