Ports
A port is a virtual network card to which a combination of a MAC address and an IP address is assigned. Ports are used to connect a device to a private network or to the internet.
A port can be located in a subnet—a private subnet, a global router subnet, or a public subnet. To access the internet, instead of adding a port to a subnet, you can also create a port with a separate IP address — a direct public IP address.
Port traffic can only be sent from the single IP/MAC address pair assigned when adding a port to a subnet; traffic from other addresses is dropped. To allow traffic from addresses not specified on the port, you must add authorized IP/MAC addresses to the port. You cannot add authorized IP/MAC addresses to ports with a direct public IP address.
You can manage subnet ports in the Control panel, using the OpenStack CLI, or Terraform. You can manage ports with direct public IP addresses in the Control panel and using the OpenStack CLI.
Service ports are automatically created in cloud networks; they cannot be managed:
- two DHCP ports in a private subnet. They are created when enabling DHCP in a subnet and deleted when disabling DHCP;
- two DNS ports in a private subnet. They are created when connecting a network to a private DNS resolver, and deleted when disconnecting the private network from the private DNS resolver;
- three service ports in a global router subnet for network equipment. They are created when connecting a private network to a global router and deleted when disconnecting the private network from the global router or when deleting the global router;
- VRRP ports and downlinks (redundancy ports) in private subnets where a load balancer is located. The number of service ports depends on the load balancer type; read more about load balancer ports;
- a port in the private subnet where the file storage is located. It is created together with the subnet for the file storage and can only be deleted with the storage.
Add a port to a public or private subnet
Private subnet, global router subnet
Public subnet
Control panel
OpenStack CLI
-
In the Control panel, on the top menu, click Products and select Cloud Servers.
-
Go to the Network section → Private networks tab.
-
Open the network page → Ports tab.
-
Click Add port.
-
Select a subnet.
-
Enter the port IP address.
-
Optional: select a server or a Managed Kubernetes cluster node to which you want to add this port.
-
Click Add port.
Add a port with a direct public IP address to a cloud server
After creation, you can add a port with a direct public IP address to a cloud server.
Control panel
- In the Control panel, on the top menu, click Products and select Cloud Servers.
- In the Servers section, open the server page → Ports.
- Click Add port.
- In the Subnet field, select Direct public IP address.
- Select an existing IP address or click New IP address.
- Click Add.
Add a cloud server or a Managed Kubernetes cluster node to a subnet via a port
After creation, a cloud server can be added to a private subnet, a global router subnet, or a public subnet. A Managed Kubernetes cluster node can be added to a private subnet or a global router subnet.
To do this, you need to add a port to the server or node.
Control panel
OpenStack CLI
- In the Control panel, on the top menu, click Products and select Cloud Servers.
- Go to the Servers section.
- Open the server page → Ports tab.
- Click Add port.
- Select a private subnet, a global router subnet, or a public subnet.
- Enter the port IP address.
- Click Add.
Connect a public floating IP address to a port in a private subnet
If a cloud server or load balancer is connected to a port in a private subnet, you can connect a public floating IP address to that port.
To connect a public floating IP address in device sections of the Control panel, use the Public floating IP addresses instruction.
Control panel
OpenStack CLI
- Ensure that the device is in a subnet that meets the requirements; for more details, see the Prepare a private subnet for connecting a public floating IP address subsection of the Public floating IP addresses instruction.
- In the Control panel, on the top menu, click Products and select Cloud Servers.
- Go to the Network section → Private networks tab.
- Open the network page → Ports tab.
- In the cloud server or load balancer port card, click Connect public IP.
- Select a public floating IP address.
- Click Connect.
Disconnect a public floating IP address from a port in a private subnet
To disconnect a public floating IP address in device sections of the Control panel, use the Public floating IP addresses instruction.
Control panel
OpenStack CLI
- In the Control panel, on the top menu, click Products and select Cloud Servers.
- Go to the Network section → Private networks tab.
- Open the network page → Ports tab.
- In the cloud server or load balancer port card, next to the public floating IP address, click .
- Select Disconnect public IP address.
- Optional: if you no longer need the public floating IP address, select the Delete address checkbox.
- Click Save.
Assign a security group to a port
To assign a security group on a cloud server page in the Control panel, use the Assign a security group instruction.
For a security group to be assignable to a port, traffic filtering (port security) must be enabled in the port's network. You can view the filtering status of a network in the control panel: in the top menu, click Products → Cloud Servers → Network → the Private Networks or Public Networks tab. A network with enabled filtering is marked with .
Private subnet, global router subnet
Public subnet
Direct public IP address
Control panel
OpenStack CLI
-
In the Control panel, on the top menu, click Products and select Cloud Servers.
-
Go to the Network section → Private networks tab.
-
Open the network page → Ports tab.
-
In the port card, click in the security groups field. If security group selection is unavailable, traffic filtering (port security) is disabled in the network. To use security groups, create a new private network.
-
In the Security groups field, select the groups you want to assign to the port, or click New security group and create a group.
-
Click Save.
Unassign a security group from a port
Private subnet, global router subnet
Public subnet
Direct public IP address
Control panel
OpenStack CLI
-
In the Control panel, on the top menu, click Products and select Cloud Servers.
-
Go to the Network section → Private networks tab.
-
Open the network page → Ports tab.
-
In the port card, in the security groups field, click .
-
In the Security groups field, uncheck the boxes for the groups you want to unassign from the port.
-
Click Save.
Add authorized IP/MAC addresses to a port
If traffic filtering (port security) is enabled in the network, traffic from the port can only be sent from the single IP/MAC address pair that was assigned when adding a port to a subnet or adding a port with a direct public IP address. If traffic is transmitted through the port from addresses not specified on the port, that traffic will be blocked. To allow traffic from addresses not specified on the port, you need to add authorized IP/MAC addresses to the port settings.
For example, if you have manually deployed:
- routing software on a cloud server — you need to authorize all routable networks;
- VPN server on a cloud server — you need to authorize the IP addresses of all VPN clients;
- a Kubernetes cluster with the Calico CNI in Direct routing mode on a cloud server — you need to authorize the entire subnet used in the cluster. For the Flannel CNI, no configuration is required;
- VRRP group of several cloud servers — depending on the VRRP settings, you need to authorize the VIP address or the VIP/MAC address pair of the server on each server.
You can add no more than 10 additional IP/MAC address pairs for a single port. If authorized addresses are no longer needed, you can remove them from the port. You cannot add additional addresses to a port with a direct public IP address.
You do not need to configure authorized addresses in Managed Kubernetes clusters, Managed Databases, ready-made 1C cloud, as well as on cloud servers created from images with applications. All necessary settings for them have already been made.
Private subnet, global router subnet
Public subnetwork
Control panel
OpenStack CLI
-
In the Control panel, on the top menu, click Products and select Cloud Servers.
-
Go to the Network section → Private networks tab.
-
Open the network page → Ports tab.
-
In the port card, in the security groups field, click .
-
If you want to allow all IP addresses, click Allow all IP addresses for VPN. Traffic from the 0.0.0.0/0 subnet will be allowed with the default port MAC address.
-
If you want to allow traffic from specific addresses:
6.1. Click Add IP/MAC pair.
6.2. Enter the IP address or subnet in CIDR format.
6.3.Enter the MAC address that corresponds to the IP address, or leave the default port MAC address. Do not use addresses from the range
00:00:5e:00:01:82–00:00:5e:00:01:c6. These MAC addresses are reserved by Selectel network equipment; using them will result in traffic being blocked on the cloud server interface.6.4. To add another address pair, repeat steps 6.1 — 6.3.
-
Click Save.
Remove allowed IP/MAC addresses from the port
Private subnetwork, global router subnetwork
Public subnetwork
Control panel
OpenStack CLI
-
In the Control panel, on the top menu, click Products and select Cloud Servers.
-
Go to the Network section → Private networks tab.
-
Open the network page → Ports tab.
-
In the port card, in the security groups field, click .
-
In the address pair row, click .
-
Click Save.
Enable port
Private subnetwork, global router subnetwork
Public subnetwork
Direct public IP address
Control panel
OpenStack CLI
-
In the Control panel, on the top menu, click Products and select Cloud Servers.
-
Go to the Network section → Private networks tab.
-
Open the network page → Ports tab.
-
In the port card, enable the port.
Disable port
Private subnetwork, global router subnetwork
Public subnetwork
Direct public IP address
Control panel
OpenStack CLI
-
In the Control panel, on the top menu, click Products and select Cloud Servers.
-
Go to the Network section → Private networks tab.
-
Open the network page → Ports tab.
-
In the port card, disable the port.
Delete port
Private subnetwork, global router subnetwork
Public subnetwork
Direct public IP address
Control panel
OpenStack CLI
-
In the Control panel, on the top menu, click Products and select Cloud Servers.
-
Go to the Network section → Private networks tab.
-
Open the network page → Ports tab.
-
In the port card, click .
If the button is inactive, a device that prohibits deletion is connected to the port. Delete this device and return to step 1.
To delete the device, follow the instructions:
-
Click Delete.