Skip to main content

Example of configuring security groups for cloud servers in one subnet

Last update:

Goal of the configuration

Configure security groups for two cloud servers to restrict the servers' access to each other and access to the servers from the internet.

Prerequisites

In this configuration example, we used two cloud servers located in the same pool:

  • one server is running a web server and is connected to the internet via a public IP address;
  • the other server is running a MySQL database that accepts requests from the web server on the standard port 3306.

The servers are added to the same private subnet. Traffic filtering (port security) is enabled in the private network and on the server ports within this network..

Configuration result

Two security groups have been created and assigned to the server ports:

  • for the web server — the group allows incoming HTTP and HTTPS traffic from the internet;
  • for the database server — the group allows incoming traffic from the web server on the database's standard port.

All outgoing traffic from the servers is allowed.

Configuration steps

  1. Create a security group for the web server.
  2. Create a security group for the database server.

1. Create a security group for the web server

  1. In the Control panel, on the top menu click Products and select Cloud Servers.

  2. Перейдите in раздел Группы безопасности.

  3. Click Create security group.

  4. Select the location where the web server is located.

  5. Create a rule that allows incoming HTTP traffic for the web server:

    5.1. Нажмите Добавить правило входящего трафика.

    5.2. Выберите протокол — TCP

    5.3. Выберите источник трафика (Source) — CIDR and введите IP-адрес подсети по умолчанию 0.0.0.0/0.

    5.4. Введите порт (Dst. port), on который разрешено принимать трафик — 80.

    5.5. Optional: введите комментарий для правила

    5.6. Нажмите Добавить.

  6. Create a rule that allows HTTPS traffic for the web server:

    6.1. Нажмите Добавить правило входящего трафика.

    6.2. Выберите протокол — TCP

    6.3. Выберите источник трафика (Source) — CIDR and введите IP-адрес подсети по умолчанию 0.0.0.0/0.

    6.4. Введите порт (Dst. port), on который разрешено принимать трафик, in примере — 443.

    6.5. Optional: введите комментарий для правила

    6.6. Нажмите Добавить.

  7. In the Ports block, select the web server port to which the security group will be assigned. After creating the group, all active sessions on the port that do not meet the group's rules will be terminated.

  8. Enter a name for the group or leave the automatically generated name.

  9. Optional: enter a comment for the group.

  10. Click Create security group.

2. Create a security group for the database server

  1. In the Control panel, on the top menu click Products and select Cloud Servers.

  2. Перейдите in раздел Группы безопасности.

  3. Click Create security group.

  4. Select the location where the database server is located.

  5. Create a rule that allows incoming traffic from the web server group:

    5.1. Нажмите Добавить правило входящего трафика.

    5.2. Выберите протокол — TCP

    5.3. Выберите источник трафика (Source) — SG and выберите группу безопасности, которую вы создали для веб-сервера

    5.4. Введите порт (Dst. port), on который разрешено принимать трафик — 3306.

    5.5. Optional: введите комментарий для правила

    5.6. Нажмите Добавить.

  6. In the Ports block, select the web server port to which the security group will be assigned. After creating the group, all active sessions on the port that do not meet the group's rules will be terminated.

  7. Enter a name for the group or leave the automatically generated name.

  8. Optional: enter a comment for the group.

  9. Click Create security group.