Skip to main content

Assign a security group

Last update:

To assign a security group to a port, traffic filtering (port security) must be enabled on the port network. You can check the filtering status in the Control Panel: in the top menu, click ProductsCloud ServersNetworkPrivate networks or Public networks tab. Networks with filtering enabled are marked with the .

When a port is created, a default security group named default is assigned to it. You can also specify a different security group when creating a port or server; it will be assigned instead of the default group.

You can assign a security group:

In the control panel, you can only assign a group to an existing port.

Assign a security group when creating a port

  1. Open the OpenStack CLI.

  2. Create a port with a security group:

    openstack port create \
      --network <network> \
      --fixed-ip subnet=<subnet>,ip-address=<port_ip_address> \
      --security-group <security_group> \
      <port_name>

    Specify:

    • <network> — network ID or name, can be viewed using the openstack network list command. For a public subnet, it matches the <subnet> parameter;
    • <subnet> — subnet ID or name, can be viewed using the openstack subnet list command;
    • <port_ip_address> — port IP address;
    • <security_group> — security group ID or name, can be viewed using the openstack security group list command;
    • <port_name> — port name.

  3. Add a port to a server:

    openstack server add port <server> <port>

    Specify:

    • <server> — cloud server ID or name, can be viewed using the openstack server list command;
    • <port> — ID or name of the port created in step 2, can be viewed using the openstack port list command.

Assign a group to an existing cloud server port

warning

After assigning a group to a port, all active sessions that do not comply with the group rules will be dropped.

  1. In the Control panel, click Products in the top menu and select Cloud Servers.

  2. Open the server page → Ports tab.

  3. In the port card, in the security groups field, click .

  4. In the Security groups field, select the groups you want to assign to the port, or click New security group and create a group.

  5. Click Save.

Assign a group when creating a server

The group will be assigned only to the ports created together with the server.

  1. Open the OpenStack CLI.

  2. Create a cloud server in the subnet with a security group specified:

    openstack server create \
      [--image <image> | --volume <volume> | --snapshot <snapshot>] \
      --flavor <flavor> \
      --availability-zone <pool_segment> \
      --nic net-id=<net_uuid> \
      --security-group <security_group> \
      --key-name <key_name> \
      <server_name>

    Specify:

    • source type:

      • --image <image> — to create a server from a pre-built or custom image. The <image> parameter is the image ID or name, which can be viewed using the openstack image list;
      • --volume <volume> — to create a server from a network volume. The <volume> parameter is the volume ID or name, which can be viewed using the openstack volume list;
      • --snapshot <snapshot> — to create a server from a snapshot. The <snapshot> parameter is the snapshot ID or name, which can be viewed using the openstack snapshot list;

    • <flavor> — flavor ID or name. Flavors correspond to cloud server configurations and define the number of vCPU, RAM, and local disk size (optional) of the server. You can use fixed configuration flavors or create a flavor. For example, 1015 is the ID to create a server with a fixed Standard configuration with 4 vCPU and 16 GB RAM in the ru-9 pool. You can view the flavor list using the openstack flavor list command or in the List of fixed configuration flavors in all pools table;

    • <pool_segment>pool segment in which the cloud server will be created, e.g., ru-9a. The list of available pool segments can be viewed in the Availability matrix;

    • <net_uuid> — ID of the private or public network to which the server will connect, can be viewed using the openstack network list;

    • <key_name> — name of the service user SSH key pair. If SSH keys are not created, generate them. The list can be viewed using the openstack keypair list;

    • <security_group> — security group ID or name, can be viewed using the openstack security group list;

    • optional: --block-device-mapping vdb=<extra_volume> — to add an additional volume. The <extra_volume> parameter is the additional volume ID or name, which can be viewed using the openstack volume list;

    • optional: --property x_cloud_smt_enabled=false — disable Hyper-Threading (SMT). If this parameter is not specified, Hyper-Threading (SMT) will be enabled by default. Can only be used with flavors that support dedicated cores. You can view the flavor list in the List of fixed configuration flavors in all pools table;

    • optional: --property x_cloud_numa_nodes=1 — resource placement on a single NUMA node. Can be used only with flavors that support dedicated cores. You can view the list of available flavors in the table List of fixed configuration flavors in all pools;

    • optional: --tag <tag_name> --os-compute-api-version 2.52tag to add additional information about the server. The <tag_name> parameter is the tag name;

    • optional: --tag preemptible --os-compute-api-version 2.72 — tag for creating a preemptible server;

    • optional: --user-data <user_data.file> — to specify a script to run on the first OS boot. The <user_data.file> parameter is the path to the Base64-encoded script. You can view script examples in the User data guide;

    • <server_name> — server name.