Ports

Last update: May 30 2026

A port is a virtual network card assigned a MAC-address and IP address pair. An IP address is assigned to a port within the subnet where the port is located.

Ports are used to connect devices to private subnets, global router subnets, and public subnets. If you disconnect a port from a device, the device will also be disconnected from the subnet. A private subnet cannot be deleted if it contains at least one port.

Port traffic can only be sent from a single IP/MAC address pair that is assigned when adding a port to a subnet; traffic from other addresses is dropped. To allow traffic from addresses not specified on the port, you must add authorized IP/MAC addresses to the port.

You can work with ports in the control panel, using the OpenStack CLI, or Terraform.

Service ports are automatically created in cloud networks; they cannot be managed:

• two DHCP ports in a private subnet. They are created when enabling DHCP in a subnet and deleted when disabling DHCP;
• two DNS ports in a private subnet. They are created when connecting a network to a private DNS resolver and deleted when disconnecting a private network from a private DNS resolver;
• three service ports in a global router subnet for network equipment. They are created when connecting a private network to a global router and deleted when disconnecting a private network from a global router or when deleting a global router;
• VRRP ports and downlinks (ports for reservation) in private subnets where a load balancer is located. The number of service ports depends on the type of load balancer; for more details, see load balancer ports;
• a port in a private subnet where a File Storage is located. It is created together with the subnet for the file storage and can only be deleted with the storage.

Add a port to a subnet

Private subnet, global router subnet

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Network section → Private networks tab.

3. Open the network page → Ports tab.

4. Click Add port.

5. Select a subnet.

6. Enter the port IP address.

7. Optional: select a server or a Managed Kubernetes cluster node to which you want to add this port.

8. Click Add port.

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a port in the subnet:

   openstack port create \
     --network <network> \
     --fixed-ip subnet=<subnet>,ip-address=<port_ip_address> \
     <port_name>

   Specify:

   • <network> — ID or name of a private network or a global router network; you can view it using the openstack network list command;
   • <subnet> — ID or name of the subnet; you can view it using the openstack subnet list;
   • <port_ip_address> — port IP address;
   • <port_name> — port name.

Public subnet

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Network section → Public networks tab.

3. Open the subnet page → Ports tab.

4. Click Add port.

5. Select a subnet.

6. Enter the port IP address.

7. Click Add port.

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a port in the subnet:

   openstack port create \
     --network <network> \
     --fixed-ip subnet=<subnet>,ip-address=<port_ip_address> \
     <port_name>

   Specify:

   • <network> — ID or name of the public network; coincides with the <subnet> parameter; you can view it using the openstack subnet list;
   • <subnet> — ID or name of the subnet; you can view it using the openstack subnet list;
   • <port_ip_address> — port IP address;
   • <port_name> — port name.

Add a cloud server or a Managed Kubernetes cluster node to a subnet via a port

A cloud server can be added to a private subnet, a global router subnet, or a public subnet after the server has been created. A Managed Kubernetes cluster node can be added to a private subnet or a global router subnet.

To do this, you need to add a port to the server or node.

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.
2. Go to the Servers section.
3. Open the server page → Ports tab.
4. Click Add port.
5. Select a private subnet, a global router subnet, or a public subnet.
6. Enter the port IP address.
7. Click Add.

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a port in the subnet:

   openstack port create \
     --network <network> \
     --fixed-ip subnet=<subnet>,ip-address=<port_ip_address> \
     <port_name>

   Specify:

   • <network> — ID or name of the private subnet, global router subnet, or public subnet; you can view it using the openstack network list. For a public subnet, this coincides with the <subnet>;;
   • <subnet> — ID or name of the subnet; you can view it using the openstack subnet list;
   • <port_ip_address> — port IP address;
   • <port_name> — port name.

3. Add a port to the cloud server:

   openstack server add port <server> <port>

   Specify:

   • <server> — ID or name of a cloud server; you can view it using the openstack server list;
   • <port> — ID or name of a port; you can view it using the openstack port list.

Connect a public IP address to a port in a private subnet

If a cloud server or load balancer is connected to a port in a private subnet, you can connect a public IP address to the port.

To connect a public IP address in the device sections of the control panel, follow the Public IP addresses instruction.

Control panel

1. Make sure that the device is in a subnet that meets the requirements; for more details, see the Prepare a private subnet for connecting a public IP address subsection of the Public IP addresses instruction.
2. In the control panel, on the top menu, click Products and select Cloud Servers.
3. Go to the Network section → Private networks tab.
4. Open the network page → Ports tab.
5. In the port card for a cloud server or load balancer, click Connect public IP.
6. Select a public IP address.
7. Click Connect.

OpenStack CLI

1. Open the OpenStack CLI.

2. Connect the public IP address to the port:

   openstack floating ip set --port <port> <public_ip_address>

   Specify:

   • <port> — ID of the cloud server or load balancer port; you can view it using the openstack port list;
   • <public_ip_address> — ID or public IP address; you can view it using the openstack floating ip list.

Disconnect a public IP address from a port in a private subnet

To disconnect a public IP address in the device sections of the control panel, follow the Public IP addresses instruction.

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.
2. Go to the Network section → Private networks tab.
3. Open the network page → Ports tab.
4. In the port card for a cloud server or load balancer, click next to the public IP address.
5. Select Disconnect public IP address.
6. Optional: if you no longer need the public IP address, mark the Delete address checkbox.
7. Click Save.

OpenStack CLI

1. Open the OpenStack CLI.

2. Disconnect the public IP address from the port:

   openstack floating ip unset --port <public_ip_address>

   Specify <public_ip_address> — ID or public IP address; you can view it using the openstack floating ip list.

Assign a security group to a port

To assign a security group on the cloud server page in the control panel, follow the Assign a security group instruction.

To assign a security group to a port, traffic filtering (port security) must be enabled in the port network. You can view the filtering status in the control panel: on the top menu, click Products → Cloud Servers → Network → Private networks or Public networks tab. A network with filtering enabled is marked with .

Private subnet, global router subnet

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Network section → Private networks tab.

3. Open the network page → Ports tab.

4. In the port card, in the security groups field, click . If the security group selection is unavailable, traffic filtering (port security) is disabled in the network. To use security groups, create a new private network.

5. In the Security groups field, mark the groups you want to assign to the port, or click New security group and create a group.

6. Click Save.

OpenStack CLI

1. Open the OpenStack CLI.

2. Ensure that traffic filtering (port security) is enabled in the network; the port_security_enabled field should have the value true:

   openstack network show <network>

   Specify <network> — network ID or name.

   If the port_security_enabled field has the value false, you must create a new private network to use security groups.

3. Assign a security group to the port:

   openstack port set \
     --security-group <security_group> \
     <port>

   Specify:

   • <security_group> — ID or name of the security group; you can view it using the openstack security group list;
   • <port> — ID or name of the port; you can view it using the openstack port list.

Public subnet

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Network section → Public networks tab.

3. Open the subnet page → Ports tab.

4. In the port row, in the Security groups field, click . If the security group selection is unavailable, traffic filtering (port security) is disabled in the network. To use security groups, create a new public subnet.

5. In the Security groups field, mark the groups you want to assign to the port, or click New security group and create a group.

6. Click Save.

OpenStack CLI

1. Open the OpenStack CLI.

2. Ensure that traffic filtering (port security) is enabled in the subnet; the port_security_enabled field should have the value true:

   openstack subnet show <subnet>

   Specify <subnet> — subnet ID or name.

   If the port_security_enabled field has the value false, you must create a new public subnet to use security groups.

3. Assign a security group to the port:

   openstack port set \
     --security-group <security_group> \
     <port>

   Specify:

   • <security_group> — ID or name of the security group; you can view it using the openstack security group list;
   • <port> — ID or name of the port; you can view it using the openstack port list.

Detach a security group from a port

Private subnet, global router subnet

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Network section → Private networks tab.

3. Open the network page → Ports tab.

4. In the port card, in the security groups field, click .

5. In the Security groups field, uncheck the groups you want to detach from the port.

6. Click Save.

OpenStack CLI

1. Open the OpenStack CLI.

2. Detach the security group from the port:

   openstack port unset \
     --security-group <security_group> \
     <port>

   Specify:

   • <security_group> — ID or name of the security group; you can view it using the openstack security group list;
   • <port> — ID or name of the port; you can view it using the openstack port list.

Public subnet

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Network section → Public networks tab.

3. Open the subnet page → Ports tab.

4. In the port row, in the Security groups field, click .

5. In the Security groups field, uncheck the groups you want to detach from the port.

6. Click Save.

OpenStack CLI

1. Open the OpenStack CLI.

2. Detach the security group from the port:

   openstack port unset \
     --security-group <security_group> \
     <port>

   Specify:

   • <security_group> — ID or name of the security group; you can view it using the openstack security group list;
   • <port> — ID or name of the port; you can view it using the openstack port list.

Add authorized IP/MAC addresses to a port

If traffic filtering (port security) is enabled in the network, port traffic can only be sent from a single IP/MAC address pair that is assigned when adding the port to a subnet. If traffic is transmitted through the port from addresses not specified on the port, such traffic will be blocked. To allow traffic from addresses not specified on the port, you need to add authorized IP/MAC addresses in the port settings.

For example, if you have independently deployed:

• routing software on a cloud server — you need to allow all routed networks;
• VPN server on a cloud server — you need to allow the IP addresses of all VPN clients;
• a Kubernetes cluster with CNI Calico in Direct routing mode on a cloud server — you need to allow the entire subnet used in the cluster. Configuration is not required for CNI Flannel;
• VRRP group of several cloud servers — depending on the VRRP settings, you need to allow the VIP address or the VIP/MAC address pair of the server on each of the servers.

You can add up to 10 additional IP/MAC address pairs for a single port. If authorized addresses are no longer needed, you can remove them from the port.

You do not need to configure authorized addresses in Managed Kubernetes clusters, Managed Databases, ready-made 1C cloud, as well as on cloud servers created from images with applications. All necessary settings for them have already been made.

Private subnet, global router subnet

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Network section → Private networks tab.

3. Open the network page → Ports tab.

4. In the port card, in the security groups field, click .

5. If you want to allow all IP addresses, click Allow all IP addresses for VPN. Traffic from the 0.0.0.0/0 subnet will be allowed with the default port MAC address.

6. If you want to allow traffic from specific addresses:

   6.1.Click Add IP/MAC pair.

   6.2.Enter the IP address or subnet in CIDR format.

   6.3.Optional: enter the MAC address corresponding to the IP address, or leave the default port MAC address.

   6.4. To add another pair of addresses, repeat steps 6.1 — 6.3.

7. Click Save.

OpenStack CLI

1. Open the OpenStack CLI.

2. Add authorized addresses:

   openstack port set \
     --allowed-address ip-address=<ip_address>[,mac-address=<mac_address>] \
     <port>

   Specify:

   • <ip_address> — IP address or subnet. If you want to allow all IP addresses, enter the 0.0.0.0/0 subnet;
   • optional: ,mac-address=<mac_address> — MAC address corresponding to the IP address. The <mac_address> parameter is the MAC address value. If you do not specify a MAC address, the main port MAC address will be used;
   • <port> — port ID; you can view it using the openstack port list.

Public subnet

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Network section → Public networks tab.

3. Open the subnet page → Ports tab.

4. In the port row, in the Security groups field, click .

5. If you want to allow all IP addresses, click Allow all IP addresses for VPN. Traffic from the 0.0.0.0/0 subnet will be allowed with the default port MAC address.

6. If you want to allow traffic from specific addresses:

   6.1.Click Add IP/MAC pair.

   6.2.Enter the IP address or subnet in CIDR format.

   6.3.Optional: enter the MAC address corresponding to the IP address, or leave the default port MAC address.

   6.4. To add another pair of addresses, repeat steps 6.1 — 6.3.

7. Click Save.

OpenStack CLI

1. Open the OpenStack CLI.

2. Add authorized addresses:

   openstack port set \
     --allowed-address ip-address=<ip_address>[,mac-address=<mac_address>] \
     <port>

   Specify:

   • <ip_address> — IP address or subnet. If you want to allow all IP addresses, enter the 0.0.0.0/0 subnet;
   • optional: ,mac-address=<mac_address> — MAC address corresponding to the IP address. The <mac_address> parameter is the MAC address value. If you do not specify a MAC address, the default port MAC address will be used;
   • <port> — port ID; you can view it using the openstack port list.

Remove authorized IP/MAC addresses from a port

Private subnet, global router subnet

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Network section → Private networks tab.

3. Open the network page → Ports tab.

4. In the port card, in the security groups field, click .

5. In the address pair row, click .

6. Click Save.

OpenStack CLI

1. Open the OpenStack CLI.

2. Remove the authorized addresses from the port. The IP/MAC address pair that was assigned when the port was created will remain authorized:

   openstack port set \
     --no-allowed-address \
     <port>

Public subnet

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Network section → Public networks tab.

3. Open the subnet page → Ports tab.

4. In the port row, in the Security groups field, click .

5. In the address pair row, click .

6. Click Save.

OpenStack CLI

1. Open the OpenStack CLI.

2. Remove the authorized addresses from the port. The IP/MAC address pair that was assigned when the port was created will remain authorized:

   openstack port set \
     --no-allowed-address \
     <port>

Enable a port

Private subnet, global router subnet

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Network section → Private networks tab.

3. Open the network page → Ports tab.

4. Enable the port in the port card.

OpenStack CLI

1. Open the OpenStack CLI.

2. View the list of ports in the subnet and copy the ID or name of the required port:

   openstack port list --fixed-ip subnet=<subnet>

   Specify <subnet> — subnet ID or name; you can view it using the openstack subnet list.

3. Enable the port:

   openstack port set --enable <port>

   Specify <port> — ID or name of the port that you copied in step 2.

Public subnet

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Network section → Public networks tab.

3. Open the subnet page → Ports tab.

4. Enable the port in the port row.

OpenStack CLI

1. Open the OpenStack CLI.

2. View the list of ports in the subnet and copy the ID or name of the required port:

   openstack port list --fixed-ip subnet=<subnet>

   Specify <subnet> — subnet ID or name; you can view it using the openstack subnet list.

3. Enable the port:

   openstack port set --enable <port>

   Specify <port> — ID or name of the port that you copied in step 2.

Disable a port

Private subnet, global router subnet

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Network section → Private networks tab.

3. Open the network page → Ports tab.

4. Disable the port in the port card.

OpenStack CLI

1. Open the OpenStack CLI.

2. View the list of ports in the subnet and copy the ID or name of the required port:

   openstack port list --fixed-ip subnet=<subnet>

   Specify <subnet> — subnet ID or name; you can view it using the openstack subnet list.

3. Disable the port:

   openstack port set --disable <port>

   Specify <port> — ID or name of the port that you copied in step 2.

Public subnet

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Network section → Public networks tab.

3. Open the subnet page → Ports tab.

4. Disable the port in the port row.

OpenStack CLI

1. Open the OpenStack CLI.

2. View the list of ports in the subnet and copy the ID or name of the required port:

   openstack port list --fixed-ip subnet=<subnet>

   Specify <subnet> — subnet ID or name; you can view it using the openstack subnet list.

3. Disable the port:

   openstack port set --disable <port>

   Specify <port> — ID or name of the port that you copied in step 2.

Delete a port

Private subnet, global router subnet

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Network section → Private networks tab.

3. Open the network page → Ports tab.

4. In the port card, click .

   If the button is inactive, a device that prohibits deletion is connected to the port. Delete this device and return to step 1.

   To delete the device, use the following instructions:

   • delete a cloud router;
   • delete a Managed Kubernetes cluster;
   • delete a File Storage;
   • delete a load balancer.

5. Click Delete.

OpenStack CLI

1. Open the OpenStack CLI.

2. View the list of ports in the subnet and copy the ID or name of the required port:

   openstack port list --fixed-ip subnet=<subnet>

   Specify <subnet> — subnet ID or name; you can view it using the openstack subnet list.

3. Delete the port:

   openstack port delete <port>

   Specify <port> — ID or name of the port that you copied in step 2.

Public subnet

Control panel

1. In the control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Network section → Public networks tab.

3. Open the subnet page → Ports tab.

4. In the port row, click .

5. Click Delete.

OpenStack CLI

1. Open the OpenStack CLI.

2. View the list of ports in the subnet and copy the ID or name of the required port:

   openstack port list --fixed-ip subnet=<subnet>

   Specify <subnet> — subnet ID or name; you can view it using the openstack subnet list.

3. Delete the port:

   openstack port delete <port>

   Specify <port> — ID or name of the port that you copied in step 2.