Create a rule for TCP or UDP traffic

Last update: May 30 2026

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Load Balancers section → Load Balancers tab.

3. Open the load balancer page.

4. Click Create Rule.

5. Select the traffic reception protocol — TCP or UDP.

6. For the selected protocol, a default port on which the load balancer will listen for traffic will be automatically selected — change it if necessary.

7. Optional: enter the allowed CIDRs from which the load balancer will accept traffic with the selected protocol and port. You can enter a subnet in CIDR format or a single IP address with a /32 mask. If you leave the field empty, the load balancer will accept traffic from any IP address. You can specify allowed IP addresses in the rule after creating it.

   If the field is missing, traffic filtering (port security) is disabled in the load balancer network.

8. Select a target group or create a new target group with a suitable protocol.

9. Optional: change the connection settings; to do this, open the Advanced Rule Settings block and specify:

   • for incoming requests to the load balancer — specify the connection timeout and the maximum number of connections;
   • for requests from the load balancer to servers — specify the connection timeout, inactivity timeout, and TCP packet waiting timeout.

10. Click Create.

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a rule for the load balancer:

   openstack loadbalancer listener create \
     --name <listener_name> \
     --protocol <protocol> \
     --protocol-port <port> \
     [--allowed-cidr <allowed_cidr>] \
     <loadbalancer>

   Specify:

   • <listener_name> — the rule name;
   • <protocol> — the protocol name, TCP or UDP;
   • <port> — the port number;
   • optional: --allowed-cidr <allowed_cidr> — IP address from which traffic is allowed, where <allowed_cidr> — a subnet in CIDR format or a single IP address with a /32 mask. If you need to specify multiple addresses, provide each in a separate --allowed-cidr parameter. For the restriction to work, traffic filtering (port security) must be enabled in the load balancer network. You can specify allowed IP addresses in the rule after creating the load balancer;
   • <loadbalancer> — ID or name of the load balancer. The list can be viewed using the openstack loadbalancer list command.

3. Create a target group:

   openstack loadbalancer pool create \
     --name <pool_name> \
     --lb-algorithm <algorithm> \
     --listener <listener_name> \
     --protocol <protocol>

   Specify:

   • <pool_name> — the target group name;
   • <algorithm> — the algorithm name: ROUND_ROBIN or LEAST_CONNECTIONS;
   • <listener_name> — the rule name;
   • <protocol> — the protocol name.

4. Add a server to the target group:

   openstack loadbalancer member create \
     --subnet-id <subnet_uuid> \
     --address <server_ip_address> \
     --protocol-port <port> \
     <pool_name>

   Specify:

   • <subnet_uuid> — the ID of the server's private or public subnet, which can be viewed using the openstack subnet list command;
   • <server_ip_address> — the server's IP address from the specified subnet.