Example of configuring a security group for servers in a private network behind a load balancer

Last update: May 30 2026

Configuration goal

Configure a security group to receive traffic from a load balancer on target group servers.

Prerequisites

In this configuration example, we used a cloud load balancer and two cloud servers in the same pool.

The load balancer and servers are located in a private subnet 172.16.0.0/28, and traffic filtering (port security) is enabled in the network. Servers accept TCP traffic from the load balancer on port 80, and availability checks of the PING type are configured.

Configuration result

A security group has been created and assigned to the servers, allowing them to receive incoming traffic and availability checks from the load balancer.

All outgoing traffic from the servers is allowed.

Configuration steps

Control panel

1. In the Control panel, click Products in the top menu and select Cloud Servers.

2. Go to the Security Groups section.

3. Click Create security group.

4. Choose the location where the target group servers are located.

5. Create a rule in the group that will allow incoming traffic from the load balancer.

   5.1. Click Add incoming traffic rule.

   5.2. Select the protocol — TCP.

   5.3. Select traffic source (Source) — CIDR and enter the IP address of the load balancer subnet; in this example — 172.16.0.0/28. The load balancer can be recreated with a different IP address within the subnet, so you must specify the entire subnet as the traffic source.

   5.4. Enter the port (Dst. port) to which traffic is allowed to be received; in this example — 80.

   5.5. Optional: enter a comment for the rule.

   5.6. Click Add.

6. Create a rule in the group to allow availability checks from the load balancer:

   6.1. Click Add incoming traffic rule.

   6.2. Select the protocol — ICMP.

   6.3. Select traffic source (Source) — CIDR and enter the IP address of the load balancer subnet; in this example — 172.16.0.0/28. The load balancer can be recreated with a different IP address within the subnet, so you must specify the entire subnet as the traffic source.

   6.4. Optional: enter a comment for the rule.

   6.6. Click Add.

7. In the Ports block, select the server ports of the target group to which the security group will be assigned. After the group is created, all active sessions on the selected ports that do not comply with the group rules will be terminated.

8. Enter a group name or leave the name that was created automatically.

9. Optional: enter a comment for the group.

10. Click Create security group.

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a security group for cloud servers behind the load balancer:

   openstack security group create \
       --description "<description>" \
       <security_group_name>

   Specify:

   • <description> — group description, for example load balancer target group tcp-80;
   • <security_group_name> — group name, for example target-group-tcp-80.

   The group will be created with two rules that allow all outgoing traffic.

3. Create a rule in the group that will allow incoming traffic from the load balancer. The load balancer can be recreated with a different IP address within the subnet, so you must specify the entire subnet as the traffic source:

   openstack security group rule create \
       --protocol <protocol> --dst-port <port> \
       --remote-ip <ip_address> \
       <security_group>

   Specify:

   • <protocol> — target group protocol, in the example — tcp;
   • <port> — port on the target group server to which it is allowed to receive traffic, in the example — 80;
   • <ip_address> — IP address or subnet from which traffic is allowed to be received, in the example — 172.16.0.0/28;
   • <security_group> — ID or name of the security group you created in step 2, which can be viewed using the command openstack security group list.

4. Create a rule in the group to allow availability checks from the load balancer:

   openstack security group rule create \
       --protocol <protocol> \
       --remote-ip <ip_address> \
       <security_group>

   Specify:

   • <protocol> — availability check protocol, in the example — icmp;
   • <ip_address> — IP address or subnet from which traffic is allowed to be received, in the example — 172.16.0.0/28;
   • <security_group> — ID or name of the security group you created in step 2, which can be viewed using the command openstack security group list.

5. Assign the created security group to the port of each target group server that receives traffic from the load balancer:

   openstack port set \
       --security-group <security_group> \
       <port>

   Specify:

   • <security_group> — ID or name of the security group you created in step 2, which can be viewed using the command openstack security group list;
   • <port> — ID or name of the server port from the private subnet, in the example — from the subnet 172.16.0.0/28, which can be viewed using the command openstack port list.

6. Optional: check the list of rules in the group:

   openstack security group rule list <security_group>

   Specify <security_group> — ID or name of the security group you created in step 2, which can be viewed using the command openstack security group list.

Terraform

Use the Create a security group and assign it to a server port guide in the Terraform documentation.