AWS NLB Security Group
AWS provides all sorts of managed services, all derived from customer use cases. Within these managed services, users get capabilities jam packed with tons of awesome features such as automatic high availability, scalability, and redundancy.
AWS takes care of the provisioning of the underlying hardware and management of all of their managed services, including those for the Network Load Balancing service. That means you get automatic provisioning of nodes that are implemented in such a way to provide for fault tolerance and high availability of the overall service.
You’ll never have to worry about your load balancer needing more resources!
Since users are now able to build on top of solutions like a network load balancer (NLB), it may be a common question to ask, whether or not it comes with the ability for users to restrict access through the use of Security Groups.
For reference, Cloud Dropout has asked this in repost.aws:
https://repost.aws/questions/QUuueXAi20QuisbkOhinnbzQ/aws-nlb-security-group
Does AWS NLB have security group?
In essence, the network load balancer does not actually have a security group feature enabled. Rather, you will have to use the security group associated with your EC2 instance to establish and maintain those connections.
Basically, you will have the ability to either use the security group function already associated with your EC2 Instance’s network card (ENI), a VPC Network Access Control List (NACL), AWS Network Firewall, or some other type of marketplace solution to provide the necessary security controls that you are seeking.
If you’re in the market for just a stateful firewall, then just using your Security Group on the EC2 instance is more than sufficient.
Read more here:
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-network-load-balancer.html
Can I attach security group to NLB?
You do not have the ability to attach a security group to a network load balancer.
For a list of helpful features for your NLB, read more here:
https://aws.amazon.com/elasticloadbalancing/features/
How do I protect my AWS NLB?
You should always be thinking of how you can best posture your virtual environment from any malicious attacks, ranging from ransomware, DDoS, or any other type of advanced threat to take down your systems.
The best way to protect yourself when using an AWS network load balancer, is to simply rely on the fact that it’s a managed service. Having a load balancer as a managed service means that AWS actually takes care of all the underlying hardware and infrastructure required to maintain the overall service.
Security, patches, and all the underpinnings to creating a network load balancer are completely managed for you. Therefore, all you have to do is worry about how you can begin to protect your data that resides on top of this managed infrastructure.
A good way to do that, is to implement security groups onto your backend resources such as on your EC2 instances, and perhaps even more granular mechanism such as network access control lists that are available for use within your AWS VPC.
Do Albs have security groups?
Unlike network load balancers, application load balancers do have the ability to have security groups associated with them. All you have to do, is create your security group with the necessary rules and permissions, then promptly associate it with your ALB.
A best practice in terms of allowing traffic, is to have it to where all traffic is entered into your VPC only through this initial point of entry, and if you have other security groups attached to your backend resources, then you will want to associate their security groups directly to your ALB’s security group.
Final Thoughts
Knowing what both a network load balancer (NLB) and security group does in practice, is very important.
You’ll also want to understand how both services interact with each other and how to architect your applications while using them.
For simplicity, NLB’s do not have the feature to allow security groups be attached to them, but rather directly route traffic to your backend resources specified in its’ creation.