Restrict access to the load balancer

Last update: June 05 2025

Restrict access to the load balancer

You can restrict access to the load balancer — specify the allowed IP addresses from which the load balancer will accept traffic.

Allowed IP addresses are specified in the balancer rule and apply only to the port and traffic type that are specified in the rule. You can specify allowed addresses when creating a rule or in an existing rule.

For authorized addresses to work, port security must be enabled on the balancer network.

Specify the allowed IP addresses in an existing rule⁠

Control panel

1. In the dashboard, on the top menu, click Products and select Cloud Servers.

2. Go to Balancers → Balancers tab.

3. Open the balancer page.

4. Open the rule card.

5. If the card has an Allowed CIDR field, in that field:

   5.1 Click .

   5.2 Enter the allowed IP addresses or subnets, separated by commas.

   5.3 Click .

6. If the Allowed CIDRs field does not appear, port security is disabled on the network . Create a new private network or public subnet and create a load balancer on it.

OpenStack CLI

1. Open the OpenStack CLI.

2. Verify that traffic filtering is enabled on the balancer network — the port_security_enabled field is set to true:

   openstack network show <network>

   If the field value is false, create a new private network or public subnet and create a load balancer in it.

3. Specify the allowed IP addresses in the balancer rule:

   openstack loadbalancer listener set \
   --allowed-cidr <allowed_cidr>
   <listener>

   Specify:

   • <allowed_cidr> — IP address or subnet in CIDR format. If you want to specify multiple addresses, specify each address in a separate parameter --allowed-cidr;
   • <listener> — The ID or name of the rule. The list can be viewed with the command openstack loadbalancer listener list.