AWS application load balancer: Security group settings vs listener settings

When we define application load balancer in AWS, we first attach a security group to it which itself specifies things like protocol, port etc. Then we also define a listener group whee we again specify protocol, port etc.

So how do they differ in their meaning and role in overall picture?

>Solution :

All resources in an Amazon VPC can have Security Groups. They are ‘firewalls’ that can filter traffic going in and out of each resource.

Security Groups can also refer to each other, for example a common configuration is:

  • A Security Group on the Load Balancer (LB-SG) permitting inbound web traffic
  • A Security Group on the EC2 instances (App-SG) that will be sent traffic from the Load Balancer, which permits inbound traffic from LB-SG

That is, App-SG specifically permits traffic from any resource associated with LB-SG. No other resource in the VPC is permitted to send traffic to the EC2 instances unless additional rules are provided that permit such traffic.

So, think of it like this:

  • Security Groups control the security for traffic flowing within a VPC
  • The Listener and Target on a Load Balancer control how the Load Balancer distributes traffic

They are configuration at ‘different levels’ of the architecture stack.

From Listeners for your Application Load Balancers – Elastic Load Balancing:

A listener is a process that checks for connection requests, using the protocol and port that you configure. The rules that you define for a listener determine how the load balancer routes requests to its registered targets.

From Target groups for your Application Load Balancers – Elastic Load Balancing:

Each target group is used to route requests to one or more registered targets. When you create each listener rule, you specify a target group and conditions. When a rule condition is met, traffic is forwarded to the corresponding target group. You can create different target groups for different types of requests. For example, create one target group for general requests and other target groups for requests to the microservices for your application.

Leave a Reply