Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Application Load Balancer
  • Getting started
    • Overview
    • Configuring security groups
    • Working with service accounts
    • Creating or updating resources based on a configuration
  • Access management
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • L7 load balancer logs
  • Release notes
  1. Tools for Managed Service for Kubernetes
  2. Configuring security groups

Configuring security groups for Application Load Balancer tools for Managed Service for Kubernetes

Written by
Yandex Cloud
Updated at February 24, 2025

For the Ingress controller or Gateway API to work properly, you need to configure security groups for your cluster, Yandex Managed Service for Kubernetes node groups, and Application Load Balancer load balancer.

You can use different security groups (recommended) or the same group for the cluster, the node groups, and the load balancer.

Within the security groups, you must configure:

  • All standard rules described in the relevant documentation sections:
    • For cluster and node groups, see the Configuring security groups section of the Managed Service for Kubernetes documentation.
    • For load balancer, see Security groups. The last rule for outgoing traffic to backend VMs must allow connections in the subnet of the cluster node groups or its security group.
  • Backend state check rules, allowing:
    • The load balancer to send traffic to cluster nodes via TCP to port 10501 (destination: cluster node group subnets or security groups).
    • Node groups to receive this traffic (traffic originates in the load balancer subnets or security group).

Cluster and node group security groups are specified in their settings. For more information, see the guides below:

  • Creating and updating a cluster
  • Creating and updating a node group

Security group IDs are specified in:

  • For the Ingress resource, in the ingress.alb.yc.io/security-groups annotation. If you create a load balancer for several Ingress resources, it gets assigned all the security groups specified in these Ingress resources.
  • For the Gateway resource, in the gateway.alb.yc.io/security-groups annotation.

Setup exampleSetup example

Let us provide an example for the following conditions:

  • You need to deploy a load balancer with a public IP address to accept HTTPS traffic in 3 subnets with 10.128.0.0/24, 10.129.0.0/24, and 10.130.0.0/24 for CIDRs, hereafter labeled [B].
  • When creating the cluster, its CIDR was specified as 10.96.0.0/16 [C], and the service CIDR as 10.112.0.0/16 [S].
  • The cluster's node group is located in a subnet with CIDR 10.140.0.0/24 [Nod].
  • You can only connect to the nodes via SSH and control the cluster using the API, kubectl, and other utilities from CIDR 203.0.113.0/24 [Con].

Then, you need to create the following rules in the security groups:

  • Load balancer security group:

    Egress traffic
    Incoming traffic
    Port range Protocol Destination name CIDR blocks Description
    0-65535 TCP CIDR 10.140.0.0/24[Nod] For outgoing traffic to nodes, including status checks
    Port range Protocol Source CIDR blocks Description
    80 TCP CIDR 0.0.0.0/0 For receiving incoming HTTP traffic
    443 TCP CIDR 0.0.0.0/0 For receiving incoming HTTP traffic
    30080 TCP Load balancer healthchecks — For load balancer node status checks
  • Node group security group for backend status checks:

    Incoming traffic
    Port range Protocol Source CIDR blocks Description
    10501 TCP CIDR 10.128.0.0/24[B]
    10.129.0.0/24[B]
    10.130.0.0/24[B]
    For backend status checks
  • Cluster security group and node groups for service traffic:

    Egress traffic
    Incoming traffic
    Port range Protocol Destination name CIDR blocks Description
    0-65535 Any (Any) Security group Current (Self) For traffic between the master and nodes
    Port range Protocol Source CIDR blocks Description
    0-65535 TCP Load balancer healthchecks — For a network load balancer
    0-65535 Any (Any) Security group Current (Self) For traffic between the master and nodes
    0-65535 ICMPv6 CIDR 10.0.0.0/8
    192.168.0.0/16
    172.16.0.0/12
    For functionality verification of nodes from subnets within Yandex Cloud
  • Node group security group for service traffic:

    Egress traffic
    Incoming traffic
    Port range Protocol Destination name CIDR blocks Description
    0-65535 Any (Any) CIDR 0.0.0.0/0 To access external resources
    Port range Protocol Source CIDR blocks Description
    0-65535 Any (Any) CIDR 10.96.0.0/16[C]
    10.112.0.0/16[S]
    For traffic between pods and services
  • Cluster security group for service traffic:

    Egress traffic
    Incoming traffic
    Port range Protocol Destination name CIDR blocks Description
    4443 TCP CIDR 10.96.0.0/16[C] For traffic between the master and metric-server pods
    Port range Protocol Destination name CIDR blocks Description
    443 TCP CIDR 203.0.113.0/24[Con] For access to the Kubernetes API
    6443 TCP CIDR 203.0.113.0/24[Con] For access to the Kubernetes API
  • Node group security group for connecting to services from the Internet:

    Incoming traffic
    Port range Protocol Source CIDR blocks Description
    30000-32767 TCP CIDR 0.0.0.0/0 For access to services from the Internet and from Yandex Cloud subnets
  • Node group security group for connecting to nodes over SSH:

    Incoming traffic
    Port range Protocol Source CIDR blocks Description
    22 TCP CIDR 203.0.113.0/24[Con] For connecting to nodes over SSH

For more information about security groups for a cluster and node groups, see the Configuring security groups section of the Managed Service for Kubernetes documentation.

Was the article helpful?

Previous
Service for Gateway API
Next
Working with service accounts
© 2025 Direct Cursus Technology L.L.C.