Skip to main content

Ports

Last update:

A port is a virtual network card to which a combination of a MAC address and an IP address is assigned. Ports are used to connect a device to a private network or to the internet.

A port can be located in a subnet—a private subnet, a global router subnet, or a public subnet. To access the internet, instead of adding a port to a subnet, you can also create a port with a separate IP address — a direct public IP address.

Port traffic can only be sent from the single IP/MAC address pair assigned when adding a port to a subnet; traffic from other addresses is dropped. To allow traffic from addresses not specified on the port, you must add authorized IP/MAC addresses to the port. You cannot add authorized IP/MAC addresses to ports with a direct public IP address.

You can manage subnet ports in the Control panel, using the OpenStack CLI, or Terraform. You can manage ports with direct public IP addresses in the Control panel and using the OpenStack CLI.

Service ports are automatically created in cloud networks; they cannot be managed:

Add a port to a public or private subnet

  1. In the Control panel, on the top menu, click Products and select Cloud Servers.

  2. Go to the Network section → Private networks tab.

  3. Open the network page → Ports tab.

  4. Click Add port.

  5. Select a subnet.

  6. Enter the port IP address.

  7. Optional: select a server or a Managed Kubernetes cluster node to which you want to add this port.

  8. Click Add port.

Add a port with a direct public IP address to a cloud server

After creation, you can add a port with a direct public IP address to a cloud server.

  1. In the Control panel, on the top menu, click Products and select Cloud Servers.
  2. In the Servers section, open the server page → Ports.
  3. Click Add port.
  4. In the Subnet field, select Direct public IP address.
  5. Select an existing IP address or click New IP address.
  6. Click Add.

Add a cloud server or a Managed Kubernetes cluster node to a subnet via a port

After creation, a cloud server can be added to a private subnet, a global router subnet, or a public subnet. A Managed Kubernetes cluster node can be added to a private subnet or a global router subnet.

To do this, you need to add a port to the server or node.

  1. In the Control panel, on the top menu, click Products and select Cloud Servers.
  2. Go to the Servers section.
  3. Open the server page → Ports tab.
  4. Click Add port.
  5. Select a private subnet, a global router subnet, or a public subnet.
  6. Enter the port IP address.
  7. Click Add.

Connect a public floating IP address to a port in a private subnet

If a cloud server or load balancer is connected to a port in a private subnet, you can connect a public floating IP address to that port.

To connect a public floating IP address in device sections of the Control panel, use the Public floating IP addresses instruction.

  1. Ensure that the device is in a subnet that meets the requirements; for more details, see the Prepare a private subnet for connecting a public floating IP address subsection of the Public floating IP addresses instruction.
  2. In the Control panel, on the top menu, click Products and select Cloud Servers.
  3. Go to the Network section → Private networks tab.
  4. Open the network page → Ports tab.
  5. In the cloud server or load balancer port card, click Connect public IP.
  6. Select a public floating IP address.
  7. Click Connect.

Disconnect a public floating IP address from a port in a private subnet

To disconnect a public floating IP address in device sections of the Control panel, use the Public floating IP addresses instruction.

  1. In the Control panel, on the top menu, click Products and select Cloud Servers.
  2. Go to the Network section → Private networks tab.
  3. Open the network page → Ports tab.
  4. In the cloud server or load balancer port card, next to the public floating IP address, click .
  5. Select Disconnect public IP address.
  6. Optional: if you no longer need the public floating IP address, select the Delete address checkbox.
  7. Click Save.

Assign a security group to a port

To assign a security group on a cloud server page in the Control panel, use the Assign a security group instruction.

For a security group to be assignable to a port, traffic filtering (port security) must be enabled in the port's network. You can view the filtering status of a network in the control panel: in the top menu, click ProductsCloud ServersNetwork → the Private Networks or Public Networks tab. A network with enabled filtering is marked with .

  1. In the Control panel, on the top menu, click Products and select Cloud Servers.

  2. Go to the Network section → Private networks tab.

  3. Open the network page → Ports tab.

  4. In the port card, click in the security groups field. If security group selection is unavailable, traffic filtering (port security) is disabled in the network. To use security groups, create a new private network.

  5. In the Security groups field, select the groups you want to assign to the port, or click New security group and create a group.

  6. Click Save.

Unassign a security group from a port

  1. In the Control panel, on the top menu, click Products and select Cloud Servers.

  2. Go to the Network section → Private networks tab.

  3. Open the network page → Ports tab.

  4. In the port card, in the security groups field, click .

  5. In the Security groups field, uncheck the boxes for the groups you want to unassign from the port.

  6. Click Save.

Add authorized IP/MAC addresses to a port

If traffic filtering (port security) is enabled in the network, traffic from the port can only be sent from the single IP/MAC address pair that was assigned when adding a port to a subnet or adding a port with a direct public IP address. If traffic is transmitted through the port from addresses not specified on the port, that traffic will be blocked. To allow traffic from addresses not specified on the port, you need to add authorized IP/MAC addresses to the port settings.

For example, if you have manually deployed:

  • routing software on a cloud server — you need to authorize all routable networks;
  • VPN server on a cloud server — you need to authorize the IP addresses of all VPN clients;
  • a Kubernetes cluster with the Calico CNI in Direct routing mode on a cloud server — you need to authorize the entire subnet used in the cluster. For the Flannel CNI, no configuration is required;
  • VRRP group of several cloud servers — depending on the VRRP settings, you need to authorize the VIP address or the VIP/MAC address pair of the server on each server.

You can add no more than 10 additional IP/MAC address pairs for a single port. If authorized addresses are no longer needed, you can remove them from the port. You cannot add additional addresses to a port with a direct public IP address.

You do not need to configure authorized addresses in Managed Kubernetes clusters, Managed Databases, ready-made 1C cloud, as well as on cloud servers created from images with applications. All necessary settings for them have already been made.

  1. In the Control panel, on the top menu, click Products and select Cloud Servers.

  2. Go to the Network section → Private networks tab.

  3. Open the network page → Ports tab.

  4. In the port card, in the security groups field, click .

  5. If you want to allow all IP addresses, click Allow all IP addresses for VPN. Traffic from the 0.0.0.0/0 subnet will be allowed with the default port MAC address.

  6. If you want to allow traffic from specific addresses:

    6.1. Click Add IP/MAC pair.

    6.2. Enter the IP address or subnet in CIDR format.

    6.3.Enter the MAC address that corresponds to the IP address, or leave the default port MAC address. Do not use addresses from the range 00:00:5e:00:01:8200:00:5e:00:01:c6. These MAC addresses are reserved by Selectel network equipment; using them will result in traffic being blocked on the cloud server interface.

    6.4. To add another address pair, repeat steps 6.1 — 6.3.

  7. Click Save.

Remove allowed IP/MAC addresses from the port

  1. In the Control panel, on the top menu, click Products and select Cloud Servers.

  2. Go to the Network section → Private networks tab.

  3. Open the network page → Ports tab.

  4. In the port card, in the security groups field, click .

  5. In the address pair row, click .

  6. Click Save.

Enable port

  1. In the Control panel, on the top menu, click Products and select Cloud Servers.

  2. Go to the Network section → Private networks tab.

  3. Open the network page → Ports tab.

  4. In the port card, enable the port.

Disable port

  1. In the Control panel, on the top menu, click Products and select Cloud Servers.

  2. Go to the Network section → Private networks tab.

  3. Open the network page → Ports tab.

  4. In the port card, disable the port.

Delete port

  1. In the Control panel, on the top menu, click Products and select Cloud Servers.

  2. Go to the Network section → Private networks tab.

  3. Open the network page → Ports tab.

  4. In the port card, click .

    If the button is inactive, a device that prohibits deletion is connected to the port. Delete this device and return to step 1.

    To delete the device, follow the instructions:

  5. Click Delete.