Security groups for your Application Load Balancer

You must ensure that your load balancer can communicate with registered targets on both the listener port and the health check port. Whenever you add a listener to your load balancer or update the health check port for a target group used by the load balancer to route requests, you must verify that the security groups associated with the load balancer allow traffic on the new port in both directions. If they do not, you can edit the rules for the currently associated security groups or associate different security groups with the load balancer. In a VPC, you provide the security group for your load balancer, which enables you to choose the ports and protocols to allow. For example, you can open Internet Control Message Protocol (ICMP) connections for the load balancer to respond to ping requests (however, ping requests are not forwarded to any instances).

Recommended rules

The following rules are recommended for an internet-facing load balancer.

Inbound
Source	Port Range	Comment
0.0.0.0/0	`listener`	Allow all inbound traffic on the load balancer listener port
Outbound
Destination	Port Range	Comment
`instance security group`	`instance listener`	Allow outbound traffic to instances on the instance listener port
`instance security group`	`health check`	Allow outbound traffic to instances on the health check port

The following rules are recommended for an internal load balancer.

Inbound
Source	Port Range	Comment
`VPC CIDR`	`listener`	Allow inbound traffic from the VPC CIDR on the load balancer listener port
Outbound
Destination	Port Range	Comment
`instance security group`	`instance listener`	Allow outbound traffic to instances on the instance listener port
`instance security group`	`health check`	Allow outbound traffic to instances on the health check port

We also recommend that you allow inbound ICMP traffic to support Path MTU Discovery. For more information, see Path MTU Discovery in the Amazon EC2 User Guide for Linux Instances.

Update the associated security groups

You can update the security groups associated with your load balancer at any time.

To update security groups using the console

Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
On the navigation pane, under LOAD BALANCING, choose Load Balancers.
Select the load balancer.
On the Description tab, under Security, choose Edit security groups.
To associate a security group with your load balancer, select it. To remove a security group from your load balancer, clear it.
Choose Save.

To update security groups using the AWS CLI

Use the set-security-groups command.

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Update Availability Zones

Update the address type