diff --git a/docs/deploy/security_groups.md b/docs/deploy/security_groups.md index de7ef213a..0e6cd0cbf 100644 --- a/docs/deploy/security_groups.md +++ b/docs/deploy/security_groups.md @@ -9,6 +9,12 @@ Use security groups to limit client connections to your load balancers, and rest Frontend security groups control access to load balancers by specifying which clients can connect to them. +Use cases for Frontent Security Groups include: + +* Placing the load balancer behind another service, such as [AWS Web Application Firewall](https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html) or [AWS CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html). +* Blocking the IP address range (CIDR) of a region. +* Configuring the Load Balancer for private or internal use, by specifying internal CIDRs and Security Groups. + In the default configuration, the LBC automatically creates one security group per load balancer, allowing traffic from `inbound-cidrs` to `listen-ports`. ### Configuration @@ -65,4 +71,4 @@ If `--backend-security-group` is left empty, a security group with the following From version v2.3.0 onwards, the controller restricts port ranges in the backend security group rules by default. This improves the security of the default configuration. The LBC should generate the necessary rules to permit traffic, based on the Service and Ingress resources. -If needed, set the controller flag `--disable-restricted-sg-rules` to `true` to permit traffic to all ports. +If needed, set the controller flag `--disable-restricted-sg-rules` to `true` to permit traffic to all ports. This may be appropriate for backwards compatability, or troubleshooting. diff --git a/docs/guide/use_cases/frontend_sg/index.md b/docs/guide/use_cases/frontend_sg/index.md index 52d8a6304..2613292d8 100644 --- a/docs/guide/use_cases/frontend_sg/index.md +++ b/docs/guide/use_cases/frontend_sg/index.md @@ -2,7 +2,7 @@ title: Restrict Access with Frontend Security Groups --- -Frontend security groups limit client/internet traffic with a load balancer. This improves security by preventing unauthorized access to cluster services, and blocking unexpected outbound connections. Both [AWS Network Load Balancers (NLBs) and Application Load Balancers (ALBs)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html) support frontend security groups. +Frontend security groups limit client/internet traffic with a load balancer. This improves security by preventing unauthorized access to cluster services, and blocking unexpected outbound connections. Both [AWS Network Load Balancers (NLBs) and Application Load Balancers (ALBs)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html) support frontend security groups. Learn more about how the Load Balancer Controller uses [Frontend and Backend Security Groups](../../../deploy/security_groups.md). ## Solution Overview diff --git a/mkdocs.yml b/mkdocs.yml index 1dd2e79fa..b0b9de714 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -2,6 +2,7 @@ site_name: AWS Load Balancer Controller repo_name: kubernetes-sigs/aws-load-balancer-controller repo_url: https://github.com/kubernetes-sigs/aws-load-balancer-controller edit_uri: edit/main/docs/ +strict: true nav: - Home: