LBaaS Backend Server Security
For public LBs, you must configure the VCN NSGs or security lists for the backend servers to accept traffic only for the public LBs. You can update the security lists used by the backend server subnets to permit ingress traffic from the LB subnet.
For example, if the LB is in subnet 10.0.4.0/24 and you are balancing traffic for web servers, then you must add a stateful ingress rule to permit traffic from source IP address 10.0.4.0/24, using the TCP protocol, from all source ports, and to destination port 80. This new rule permits ingress traffic from the LB subnet.
VCN subnet Security Lists (or NSGs, if used) can be associated with an NSG and need to be updated after an LB, Listener and backends have been created. Typically a Load balancer would be created in a different subnet than the backend servers. For example, a public LB created in a public subnet forwards traffic to backend servers in a private subnet.
However (though not recommended), the LB could be created in the same subnet as a backend server. In either case, the security lists for all subnets that involve the LB and backend servers need to be updated.
- Allow egress traffic to the backend server on Subnet1
-
Allow egress traffic to the backend server on Subnet2
- Source Type: CIDR
- Source CIDR: 0.0.0.0/0
- IP Protocol: TCP
- Destination Port Range: 80 (listener port)
If the LB is in subnet 10.0.4.0/24, then stateful rule updates to the security lists used by the backend server subnets are needed to permit ingress traffic from the load balancer subnet:
- Source Type: CIDR
- Source CIDR: 10.0.4.0/24
- IP Protocol: TCP
- Destination Port Range: 80 (listener port)
This new stateful ingress rule permits TCP traffic to reach the backend servers. The stateful nature permits responses.
Finally, delete all egress rules. There can be no egress rules for the backend servers.