Skip to content

Security groups

The AWS Load Balancer Controller classifies security groups into two categories: frontend and backend.

Frontend Security Groups

Frontend security groups control which clients can access the load balancers. The frontend security groups can be configured with the alb.ingress.kubernetes.io/security-groups annotation on the Ingress resources. If the annotation is not specified, the LBC will create one security group per load balancer, allowing traffic from inbound-cidrs to listen-ports.

Backend Security Groups

A single shared backend security group controls the traffic between load balancers and their target EC2 instances or ENIs. This security group is attached to the load balancers and is used as the traffic source in the ENI/Instance security group rules. The backend security group is shared between multiple load balancers.

The controller flag --enable-backend-security-group (default true) is used to enable/disable the shared backend security group. The flag --backend-security-group (default empty) is used to pass in the security group to use as a shared backend security group. If it is empty, the LBC will auto-generate a security group with the following name and tags -

name: k8s-traffic-<cluster_name>-<hash_of_cluster_name>
tags: 
    elbv2.k8s.aws/cluster: <cluster_name>
    elbv2.k8s.aws/resource: backend-sg

You can turn off the shared backend security group feature by setting --enable-backend-security-group to false. However, if you have a high number of Ingress resources with frontend security groups auto-generated by the controller, you might run into security group rule limits on the instance/ENI security groups.

Management of Backend Security Group Rules

When the LBC auto-creates the frontend security group for a load balancer, it automatically adds the security group rules to allow traffic from the load balancer to the backend instances/ENIs.

When the frontend security group is specified via the alb.ingress.kubernetes.io/security-groups annotation, the controller by default will not add any security group rules to the backend instances/ENIs. The automatic management of instance/ENI security group can be controlled via the additional annotation alb.ingress.kubernetes.io/manage-backend-security-group-rules on the Ingress resource. When this annotation is set to true the security group rules are automatically managed by the controller. This annotation gets ignored in the case of auto-generated security groups. --enable-backend-security-group needs to be true if alb.ingress.kubernetes.io/manage-backend-security-group-rules is specified, otherwise it is an error.

Port Range Restrictions for Backend Security Group Rules

As of version v2.3.0, the controller will by default restrict the backend security group rules to specific port ranges. You can set the controller flag --disable-restricted-sg-rules to true to get the backend security group rules to allow traffic to ALL ports.