revise

carflo · Oct 13, 2023 · e5ff687 · e5ff687
1 parent b5b2a53
commit e5ff687
Showing 1 changed file with 9 additions and 9 deletions.
diff --git a/docs/deploy/security_groups.md b/docs/deploy/security_groups.md
@@ -7,13 +7,13 @@ Use security groups to limit client connections to your load balancers, and rest
 
 ## Frontend Security Groups
 
-Frontend security groups govern access to load balancers by specifying which clients can connect to them.
+Frontend security groups control access to load balancers by specifying which clients can connect to them.
 
 In the default configuration, the LBC automatically creates one security group per load balancer, allowing traffic from `inbound-cidrs` to `listen-ports`.
 
-### Manually Specify Frontend Security Groups
+### Configuration
 
-The frontend security groups may be manually specified with an annotation. This disables automatic generation of frontend security groups. 
+Apply custom frontend security groups with an annotation. This disables automatic generation of frontend security groups. 
 
 - For Ingress resources, use the [`alb.ingress.kubernetes.io/security-groups`](../guide/ingress/annotations.md#security-groups) annotation.
 - For Service resources, use the [`service.beta.kubernetes.io/aws-load-balancer-security-groups`](../guide/service/annotations.md#security-groups) annotation.
@@ -22,19 +22,19 @@ The frontend security groups may be manually specified with an annotation. This
 
 ## Backend Security Groups
 
-Backend Security Groups serve as the control mechanism for traffic between AWS Load Balancers and their target EC2 instances or ENIs. For example, backend security groups can restrict the ports load balancers may access on nodes.
+Backend Security Groups control traffic between AWS Load Balancers and their target EC2 instances or ENIs. For example, backend security groups can restrict the ports load balancers may access on nodes.
 
 - Backend security groups permit traffic from AWS Load Balancers to their targets. 
 - LBC uses a single, shared backend security group, attaching it to each load balancer and using as the traffic source in the security group rules it adds to targets.
-- When configuring security group rules at the ENI/Instance level, use the Security Group ID of the backend security group.
+- When configuring security group rules at the ENI/Instance level, use the Security Group ID of the backend security group. Avoid using the IP addresses of a specific AWS Load Balancer, these IPs are dynamic and the security group rules aren't updated automatically.
 
 ### Configuration
 
 **Enable or Disable:** Use `--enable-backend-security-group` (default `true`) to enable/disable the shared backend security group.
 
 You can turn off the shared backend security group feature by setting it to `false`. However, if you have a high number of Ingress resources with frontend security groups auto-generated by the controller, you might run into security group rule limits on the instance/ENI security groups.
 
-**Specification:** Use `--backend-security-group` to pass in a security group ID to use as a shared backend security group. 
+**Specification:** Use `--backend-security-group` to pass in a security group ID to use as a custom shared backend security group. 
 
 If `--backend-security-group` is left empty, a security group with the following attributes will be created:
 
@@ -52,9 +52,9 @@ If `--backend-security-group` is left empty, a security group with the following
 - If the LBC auto-creates the frontend security group for a load balancer, it automatically adds the security group rules to allow traffic from the load balancer to the backend instances/ENIs.
 - If the frontend security groups are manually specified, the LBC will not **by default** add any rules to the backend security group.
 
-#### Enable Management of Backend Security Group Rules
+#### Enable Autogeneration of Backend Security Group Rules
 
-- If using manually specified frontend security groups, the LBC can be configured to automatically manage backend security group rules.
+- If using custom frontend security groups, the LBC can be configured to automatically manage backend security group rules.
 - To enable managing backend security group rules, apply an additional annotation to Ingress and Service resources.
   - For Ingress resources, set the `alb.ingress.kubernetes.io/manage-backend-security-group-rules` annotation to `true`.
   - For Service resources, set the `service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules` annotation to `true`.
@@ -63,6 +63,6 @@ If `--backend-security-group` is left empty, a security group with the following
 
 ### Port Range Restrictions
 
-From version v2.3.0 onwards, the controller restricts port ranges in the backend security group rules by default.
+From version v2.3.0 onwards, the controller restricts port ranges in the backend security group rules by default. This improves the security of the default configuration. The LBC should generate the necessary rules to permit traffic, based on the Service and Ingress resources. 
 
 If needed, set the controller flag `--disable-restricted-sg-rules` to `true` to permit traffic to all ports.