Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Configuring security groups for Managed Service for Kubernetes Application Load Balancer tools

Written by
Updated at September 18, 2025

To ensure proper operation of the ingress controller and Gateway API, you must configure appropriate security groups for your cluster, Yandex Managed Service for Kubernetes node groups, and load balancer.

We recommend using separate security groups for your cluster, node groups, and load balancer, although a shared group is also permitted.

Within each security group, you must configure:

  • All required security group rules documented in the relevant guides:
    • For cluster and node groups, see the Configuring security groups section of the Managed Service for Kubernetes documentation.
    • For the load balancer, see Security groups. The final outbound rule for backend VMs must allow connections to either the CIDR range of your cluster’s node group subnet or the security group associated with your node groups.
  • Backend health check rules, allowing:
    • The load balancer to send TCP traffic to port 10501 on cluster nodes, targeting either the node groups’ subnet CIDR ranges or their security groups.
    • Node groups to receive TCP traffic on port 10501 from either the load balancer’s subnet CIDR ranges or its security group.

Security groups for both the cluster and node groups are specified in their respective configurations. For more information, see the guides below:

Security group IDs are specified in the following configuration locations:

  • For the Ingress resource, in the ingress.alb.yc.io/security-groups annotation. A load balancer associated with multiple Ingress resources aggregates all security groups defined in their configurations.
  • For the Gateway resource, in the gateway.alb.yc.io/security-groups annotation.

Configuration example

Let's assume you need to create rules for the following conditions:

  • You need to deploy a load balancer with a public IP address to accept HTTPS traffic in three subnets with 10.128.0.0/24, 10.129.0.0/24, and 10.130.0.0/24 CIDR blocks ([B]).
  • The cluster’s CIDR block is 10.96.0.0/16 ([C]), and the service CIDR block is 10.112.0.0/16 ([S]).
  • The cluster's node group resides in a subnet with the CIDR block 10.140.0.0/24 ([Nod]).
  • SSH access to nodes and cluster management (via API, kubectl, etc.) are restricted to CIDR 203.0.113.0/24 ([Con]).

Management console

Create the following security groups and rules:

  • Load balancer security group:

    Port range Protocol Destination name CIDR blocks Description
    0-65535 TCP CIDR 10.140.0.0/24[Nod] For outgoing traffic to nodes, including status checks
    Port range Protocol Source CIDR blocks Description
    80 TCP CIDR 0.0.0.0/0 For receiving incoming HTTP traffic
    443 TCP CIDR 0.0.0.0/0 For receiving incoming HTTPS traffic
    30080 TCP Load balancer healthchecks For load balancer node status checks

  • Node group’s security group for backend health checks:

    Port range Protocol Source CIDR blocks Description
    10501 TCP CIDR 10.128.0.0/24[B]
    10.129.0.0/24[B]
    10.130.0.0/24[B]    		 For backend health checks

  • Cluster and node group’s security group for control plane traffic:

    Port range Protocol Destination name CIDR blocks Description
    0-65535 Any (Any) Security group Current (Self) For traffic between the control plane components and worker nodes
    Port range Protocol Source CIDR blocks Description
    0-65535 TCP Load balancer healthchecks For a network load balancer
    0-65535 Any (Any) Security group Current (Self) For traffic between the control plane components and worker nodes
    0-65535 ICMPv6 CIDR 10.0.0.0/8
    192.168.0.0/16
    172.16.0.0/12    		 For node health checks within Yandex Cloud subnets

  • Node group’s security group for control plane traffic:

    Port range Protocol Destination name CIDR blocks Description
    0-65535 Any (Any) CIDR 0.0.0.0/0 For external resource access
    Port range Protocol Source CIDR blocks Description
    0-65535 Any (Any) CIDR 10.96.0.0/16[C]
    10.112.0.0/16[S]    		 For pod to service communication

  • Cluster security group for control plane traffic:

    Port range Protocol Destination name CIDR blocks Description
    4443 TCP CIDR 10.96.0.0/16[C] For traffic between the control plane components and metric-server pods
    Port range Protocol Destination name CIDR blocks Description
    443 TCP CIDR 203.0.113.0/24[Con] For Kubernetes API access
    6443 TCP CIDR 203.0.113.0/24[Con] For Kubernetes API access

  • Node group’s security group for internet service access:

    Port range Protocol Source CIDR blocks Description
    30000-32767 TCP CIDR 0.0.0.0/0 For internet and Yandex Cloud access

  • Security group for SSH access to node group instances:

    Port range Protocol Source CIDR blocks Description
    22 TCP CIDR 203.0.113.0/24[Con] For SSH access to nodes

For details on cluster and node group’s security groups, see the Configuring security groups section of the Managed Service for Kubernetes guides.

Terraform

Create the following security groups and rules:

locals {
  network-id = "<cloud_network_ID>"
}

resource "yandex_vpc_security_group" "alb" {
  description = "Load balancer security group"
  name        = "alb"
  network_id  = local.network-id
  ingress {
    description    = "Rule to allow incoming HTTP traffic"
    port           = 80
    protocol       = "TCP"
    v4_cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    description    = "Rule to allow incoming HTTPS traffic"
    port           = 443
    protocol       = "TCP"
    v4_cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    description       = "Rule for load balancer node health checks"
    port              = 30080
    protocol          = "TCP"
    predefined_target = "loadbalancer_healthchecks"
  }
  egress {
    description    = "Rule for sending traffic to nodes, including health checks"
    from_port      = 0
    to_port        = 65535
    protocol       = "TCP"
    v4_cidr_blocks = ["10.140.0.0/24"]
  }
}

resource "yandex_vpc_security_group" "nodegroup-backend" {
  description = "Node group's security group for backend health checks"
  name        = "nodegroup-backend"
  network_id  = local.network-id
  ingress {
    description    = "Backend health check rule"
    port           = 10501
    protocol       = "TCP"
    v4_cidr_blocks = ["10.128.0.0/24", "10.129.0.0/24", "10.130.0.0/24"]
  }
}

resource "yandex_vpc_security_group" "k8s-cluster-nodegroup-traffic" {
  description = "Cluster and node group's security group for service traffic"
  name        = "k8s-cluster-nodegroup-traffic"
  network_id  = local.network-id
  ingress {
    description       = "Network load balancer rule"
    from_port         = 0
    to_port           = 65535
    protocol          = "TCP"
    predefined_target = "loadbalancer_healthchecks"
  }
  ingress {
    description       = "Rule for traffic between the master and nodes"
    from_port         = 0
    to_port           = 65535
    protocol          = "ANY"
    predefined_target = "self_security_group"
  }
  ingress {
    description    = "Rule for health checks of nodes from subnets within Yandex Cloud"
    from_port      = 0
    to_port        = 65535
    protocol       = "IPV6_ICMP"
    v4_cidr_blocks = ["10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12"]
  }
  egress {
    description       = "Rule for traffic between the master and nodes"
    from_port         = 0
    to_port           = 65535
    protocol          = "ANY"
    predefined_target = "self_security_group"
  }
}

resource "yandex_vpc_security_group" "nodegroup-traffic" {
  description = "Node group's security group for service traffic"
  name        = "nodegroup-traffic"
  network_id  = local.network-id
  ingress {
    description    = "Rule for traffic between pods and services"
    from_port      = 0
    to_port        = 65535
    protocol       = "ANY"
    v4_cidr_blocks = ["10.96.0.0/16", "10.112.0.0/16"]
  }
  egress {
    description    = "Rule for external resource access"
    from_port      = 0
    to_port        = 65535
    protocol       = "ANY"
    v4_cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "yandex_vpc_security_group" "k8s-cluster-traffic" {
  description = "Cluster security group for control plane traffic"
  name        = "k8s-cluster-traffic"
  network_id  = local.network-id
  ingress {
    description    = "Rule for access to the Kubernetes API"
    port           = 443
    protocol       = "TCP"
    v4_cidr_blocks = ["203.0.113.0/24"]
  }
  ingress {
    description    = "Rule for access to the Kubernetes API"
    port           = 6443
    protocol       = "TCP"
    v4_cidr_blocks = ["203.0.113.0/24"]
  }
  egress {
    description    = "Rule for traffic between the master and metric-server pods"
    port           = 4443
    protocol       = "TCP"
    v4_cidr_blocks = ["10.96.0.0/16"]
  }
}

resource "yandex_vpc_security_group" "nodegroup-services-access" {
  description = "Node group's security group for accessing services from the internet"
  name        = "nodegroup-services-access"
  network_id  = local.network-id
  ingress {
    description    = "Rules for accessing services from the internet and Yandex Cloud subnets"
    from_port      = 30000
    to_port        = 32767
    protocol       = "TCP"
    v4_cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "yandex_vpc_security_group" "nodegroup-ssh" {
  description = "Node group's security group for SSH access to nodes"
  name        = "nodegroup-ssh"
  network_id  = local.network-id
  ingress {
    description    = "Rules for SSH access to nodes"
    port           = 22
    protocol       = "TCP"
    v4_cidr_blocks = ["203.0.113.0/24"]
  }
}
Previous
YCStorageBucket
Next
Working with service accounts