Skip to main content

Example of configuring security groups for cloud servers in the same subnet

Last update:

Configuration goal

Configure security groups for two cloud servers to restrict the servers' access to each other and access to the servers from the internet.

Requirements

In this configuration example, we used two cloud servers located in the same pool:

  • one server is running a web server and is connected to the internet via a public IP address;
  • the other server is running a MySQL database that accepts requests from the web server on the standard port 3306.

The servers are added to one private subnet. Traffic filtering (port security) is enabled in the private network and on the server ports in this network.

Configuration result

Two security groups have been created and assigned to the server ports:

  • for the web server — the group allows incoming HTTP and HTTPS traffic from the internet;
  • for the database server — the group allows incoming traffic from the web server on the database's standard port.

All outgoing traffic from the servers is allowed.

Configuration steps

  1. Create a security group for the web server.
  2. Create a security group for the database server.

1. Create a security group for the web server

  1. In the Control panel, on the top menu, click Products and select Cloud Servers.

  2. Go to the Security Groups section.

  3. Click Create security group.

  4. Select the location where the web server is located.

  5. Create a rule that allows incoming HTTP traffic for the web server:

    5.1. Click Add incoming traffic rule.

    5.2. Select the protocol — TCP.

    5.3. Select the traffic source (Source) — CIDR and enter the default subnet IP address 0.0.0.0/0.

    5.4. Enter the port (Dst. port) to accept incoming traffic — 80.

    5.5. Optional: enter a comment for the rule.

    5.6. Click Add.

  6. Create a rule that allows HTTPS traffic for the web server:

    6.1. Click Add incoming traffic rule.

    6.2. Select the protocol — TCP.

    6.3. Select the traffic source (Source) — CIDR and enter the default subnet IP address 0.0.0.0/0.

    6.4. Enter the port (Dst. port) to accept incoming traffic; in this example — 443.

    6.5. Optional: enter a comment for the rule.

    6.6. Click Add.

  7. In the Ports block, select the web server port to which the security group will be assigned. Once the group is created, all active sessions on the port that do not comply with the group rules will be terminated.

  8. Enter a group name or leave the name created automatically.

  9. Optional: enter a comment for the group.

  10. Click Create security group.

2. Create a security group for the database server

  1. In the Control panel, on the top menu, click Products and select Cloud Servers.

  2. Go to the Security Groups section.

  3. Click Create security group.

  4. Select the location where the database server is located.

  5. Create a rule that allows incoming traffic from the web server group:

    5.1. Click Add incoming traffic rule.

    5.2. Select the protocol — TCP.

    5.3. Select the traffic source (Source) — SG and select the security group you created for the web server.

    5.4. Enter the port (Dst. port) to accept incoming traffic — 3306.

    5.5. Optional: enter a comment for the rule.

    5.6. Click Add.

  6. In the Ports block, select the database server port to which the security group will be assigned. Once the group is created, all active sessions on the port that do not comply with the group rules will be terminated.

  7. Enter a group name or leave the name created automatically.

  8. Optional: enter a comment for the group.

  9. Click Create security group.