Restrict access to the load balancer
You can restrict access to the load balancer — specify the allowed IP addresses from which the load balancer will accept traffic.
Allowed IP addresses are specified in the balancer rule and apply only to the port and traffic type that are specified in the rule. You can specify allowed addresses when creating a rule or in an existing rule.
For authorized addresses to work, port security must be enabled on the balancer network.
Specify the allowed IP addresses in an existing rule
Control panel
OpenStack CLI
-
In the dashboard, on the top menu, click Products and select Cloud Servers.
-
Go to Balancers → Balancers tab.
-
Open the balancer page.
-
Open the rule card.
-
If the card has an Allowed CIDR field, in that field:
5.1 Click .
5.2 Enter the allowed IP addresses or subnets, separated by commas.
5.3 Click .
-
If the Allowed CIDRs field does not appear, port security is disabled on the network . Create a new private network or public subnet and recreate the load balancer on it.
-
Verify that traffic filtering is enabled on the balancer network — the
port_security_enabledfield is set totrue:openstack network show <network>If the field is
false, create a new private network or public subnet and recreate the load balancer in it. -
Specify the allowed IP addresses in the balancer rule:
openstack loadbalancer listener set \
--allowed-cidr <allowed_cidr>
<listener>Specify:
<allowed_cidr>— IP address or subnet in CIDR format. If you want to specify multiple addresses, specify each address in a separate parameter--allowed-cidr;<listener>— The ID or name of the rule. The list can be viewed with the commandopenstack loadbalancer listener list.