Ports
A port is a virtual network card to which a mapping of MAC address and IP address is assigned. An IP address is assigned to a port within the subnet in which the port is located.
Ports are used to connect devices to private subnets, global router subnets, and public subnets. If a port is disconnected from a device, it will also be disconnected from a subnet. A private subnet cannot be deleted if it has at least one port.
If port security is enabled on the port network, you can assign a security group to the port and add authorized IP/MAC addresses.
You can work with ports in the control panel, using the OpenStack CLI or Terraform.
In cloud networks, service ports are automatically created and management is not available:
- two DHCP ports on a private subnet. Created when DHCP is enabled on the subnet, deleted when DHCP is disabled;
- three service ports on the global router subnet for network equipment. Created when the private network is connected to the global router, deleted when the private network is disconnected from the global router or when the global router is removed;
- VRRP ports and downlinks on the private subnets where the load balancer resides. The number of service ports depends on the type of load balancer, see Load Bal ancer Ports for details;
- port on the private subnet where the file storage is located. Created together with the subnet for the file storage, can be deleted only with the storage.
Add a port to a subnet
Private subnet, global router subnet
Public subnet
Control panel
OpenStack CLI
-
In the Control panel, on the top menu, click Products and select Cloud Servers.
-
Go to Network → Private Networks tab.
-
Open the Network page → Ports tab.
-
Click Add Port.
-
Select a subnet.
-
Enter the IP address of the port.
-
Optional: select the server or Managed Kubernetes cluster node to which you want to add this port.
-
Click Add Port.
-
Create a port on the subnet:
openstack port create \
--network <network> \
--fixed-ip subnet=<subnet>,ip-address=<port_ip_address> \
<port_name>Specify:
<network>
— The ID or name of the private network, the global router network, can be viewed with the commandopenstack network list
;<subnet>
— The ID or subnet name can be viewed with the commandopenstack subnet list
;<port_ip_address>
— The IP address of the port;<port_name>
— port name.
Control panel
OpenStack CLI
-
In the Control panel, on the top menu, click Products and select Cloud Servers.
-
Go to Network → Public Networks tab.
-
Open the subnet card → Ports tab.
-
Click Add Port.
-
Select a subnet.
-
Enter the IP address of the port.
-
Click Add Port.
-
Create a port on the subnet:
openstack port create \
--network <network> \
--fixed-ip subnet=<subnet>,ip-address=<port_ip_address> \
<port_name>Specify:
<network>
— ID or name of the public network, matches the parameter<subnet>
can be viewed with the commandopenstack subnet list
;<subnet>
— The ID or subnet name can be viewed with the commandopenstack subnet list
;<port_ip_address>
— The IP address of the port;<port_name>
— port name.
Add a cloud server or Managed Kubernetes cluster node to the subnet via port
A cloud server can be added to a private subnet, a global router subnet, or a public subnet after server creation. The Managed Kubernetes cluster node can be added to a private subnet or a global router subnet.
To do this, you need to add a port to the server or node.
Control panel
OpenStack CLI
- In the Control Panel, go to Cloud Platform → Servers.
- Open the server page → Ports tab.
- Click Add Port.
- Select private subnet, global router subnet, or public subnet.
- Enter the IP address of the port.
- Click Add.
-
Create a port on the subnet:
openstack port create \
--network <network> \
--fixed-ip subnet=<subnet>,ip-address=<port_ip_address> \
<port_name>Specify:
<network>
— The ID or name of a private subnet, global router subnet, or public subnet can be viewed with the commandopenstack network list
. For a public subnet it is the same as the parameter<subnet>
;<subnet>
— The ID or subnet name can be viewed with the commandopenstack subnet list
;<port_ip_address>
— The IP address of the port;<port_name>
— port name.
-
Add a port to the cloud server:
openstack server add port <server> <port>
Specify:
<server>
— The ID or name of the cloud server can be viewed with the commandopenstack server list
;<port>
— The port ID or name can be viewed with the commandopenstack port list
.
Connect a public IP address to a port on a private subnet
If a cloud server or load balancer is connected to a port on the private subnet, you can connect a public IP address to the port.
To connect a public IP address in the device sections of the Control Panel, use the Public IP Addresses instructions.
Control panel
OpenStack CLI
- Make sure the device is on a subnet that meets the requirements. To prepare the subnet, use the instructions Prepare a private subnet to connect a public IP address.
- In the dashboard, on the top menu, click Products and select Cloud Servers.
- Go to Network → Private Networks tab.
- Open the Network page → Ports tab.
- In the port card of the cloud server or load balancer, click Connect Public IP.
- Select a public IP address.
- Click Connect.
-
Connect a public IP address to the port:
openstack floating ip set --port <port> <public_ip_address>
Specify:
<port>
— The port ID of a cloud server or load balancer can be viewed with the commandopenstack port list
;<public_ip_address>
— ID, or public IP address, can be viewed with the commandopenstack floating ip list
.
Disconnect a public IP address from a port on a private subnet
To disable the public IP address in the device sections in the Control Panel, use the Public IP Addresses instructions.
Control panel
OpenStack CLI
- In the dashboard, on the top menu, click Products and select Cloud Servers.
- Go to Network → Private Networks tab.
- Open the Network page → Ports tab.
- In the port card of the cloud server or load balancer, next to the public IP address, click .
- Select Disable public IP address.
- Optional: If you no longer need the public IP address, check the Delete Address checkbox.
- Click Save.
-
Disconnect the public IP address from the port:
openstack floating ip unset --port <public_ip_address>
Specify
<public_ip_address>
— The ID or public IP address, can be viewed using theopenstack floating ip list
command.
Assign a security group to a port
To assign a security group to device partitions in the Control Panel, use the Assign Security Group instructions.
Private subnet, global router subnet
Public subnet
Control panel
OpenStack CLI
-
In the Control panel, on the top menu, click Products and select Cloud Servers.
-
Go to Network → Private Networks tab.
-
Open the Network page → Ports tab.
-
In the port card, in the Security Groups field, click .
-
In the Security Groups field, check the groups you want to assign to the port, or click New Security Group and create a group.
-
Click Save.
-
Assign a security group to the port:
openstack port set \
--security-group <security_group> \
<port>Specify:
<security_group>
— The ID or name of the security group can be viewed with the commandopenstack security group list
;<port>
— The port ID or name can be viewed with the commandopenstack port list
.
Control panel
OpenStack CLI
-
In the Control panel, on the top menu, click Products and select Cloud Servers.
-
Go to Network → Public Subnets tab.
-
Open the subnet card → Ports tab.
-
On the port line, in the Security Groups field, click .
-
In the Security Groups field, check the groups you want to assign to the port, or click New Security Group and create a group.
-
Click Save.
-
Assign a security group to the port:
openstack port set \
--security-group <security_group> \
<port>Specify:
<security_group>
— The ID or name of the security group can be viewed with the commandopenstack security group list
;<port>
— The port ID or name can be viewed with the commandopenstack port list
.
Disconnect the security group from the port
Private subnet, global router subnet
Public subnet
Control panel
OpenStack CLI
-
In the Control panel, on the top menu, click Products and select Cloud Servers.
-
Go to Network → Private Networks tab.
-
Open the Network page → Ports tab.
-
In the port card, in the Security Groups field, click .
-
In the Security Groups field, uncheck the checkboxes of the groups that you want to disconnect from the port.
-
Click Save.
-
Disconnect the security group from the port:
openstack port unset \
--security-group <security_group> \
<port>Specify:
<security_group>
— The ID or name of the security group can be viewed with the commandopenstack security group list
;<port>
— The port ID or name can be viewed with the commandopenstack port list
.
Control panel
OpenStack CLI
-
In the Control panel, on the top menu, click Products and select Cloud Servers.
-
Go to Network → Public Subnets tab.
-
Open the subnet card → Ports tab.
-
On the port line, in the Security Groups field, click .
-
In the Security Groups field, uncheck the checkboxes of the groups that you want to disconnect from the port.
-
Click Save.
-
Disconnect the security group from the port:
openstack port unset \
--security-group <security_group> \
<port>Specify:
<security_group>
— The ID or name of the security group can be viewed with the commandopenstack security group list
;<port>
— The port ID or name can be viewed with the commandopenstack port list
.
Add authorized IP/MAC addresses per port
If port security is enabled on the network, port traffic can only be sent from one IP/MAC address pair, which is assigned when the port is added to the subnet. If traffic is sent through the port from addresses that are not specified on the port, such traffic will be blocked. To allow traffic from addresses that are not listed on the port, you must add the allowed IP/MAC addresses to the port settings.
For example, if you have self-deployed on a cloud server:
- VPN server — you must allow all IP addresses (subnet
0.0.0.0.0/0
); - Kubernetes cluster with CNI Calico in Direct routing mode — you need to allow the subnet that is used in the cluster. No configuration is required for CNI Flannel.
If the additional addresses are not needed, you can remove them from the port.
You do not need to configure authorized addresses in Managed Kubernetes clusters, cloud databases, ready-made 1C cloud, as well as on cloud servers created from images with applications. All necessary settings for them have already been made.
A maximum of 10 additional IP/MAC address pairs can be added per port.
Private subnet, global router subnet
Public subnet
Control panel
OpenStack CLI
-
In the dashboard, on the top menu, click Products and select Cloud Servers.
-
Go to Network → Private Networks tab.
-
Open the Network page → Ports tab.
-
In the port card, in the Security Groups field, click .
-
If you want to allow all IP addresses, click Allow All IP Addresses for VPN. Traffic from the
0.0.0.0.0/0
subnet with the default port MAC address will be allowed. -
If you want to allow traffic from specific addresses:
6.1.Click Add IP/MAC Pair.
6.2.Enter the IP address or subnet in CIDR format.
6.3.Optional: Enter a MAC address that matches the IP address, or leave the MAC address of the default port.
6.4.To add another address pair, repeat steps 6.1 through 6.3.
-
Click Save.
-
Add resolved addresses:
openstack port set \
--allowed-address ip-address=<ip_address>[,mac-address=<mac_address>] \
<port>Specify:
<ip_address>
— IP address or subnet. If you want to allow all IP addresses, enter subnet0.0.0.0/0
;- optional:
, mac-address=<mac_address>
is the MAC address corresponding to the IP address. The parameter<mac_address>
is the MAC address value. If you do not specify a MAC address, the port's primary MAC address will be used; <port>
— The port ID can be viewed with the commandopenstack port list
.
Control panel
OpenStack CLI
-
In the dashboard, on the top menu, click Products and select Cloud Servers.
-
Go to Network → Public Subnets tab.
-
Open the subnet card → Ports tab.
-
On the port line, in the Security Groups field, click .
-
If you want to allow all IP addresses, click Allow All IP Addresses for VPN. Traffic from the
0.0.0.0.0/0
subnet with the default port MAC address will be allowed. -
If you want to allow traffic from specific addresses:
6.1.Click Add IP/MAC Pair.
6.2.Enter the IP address or subnet in CIDR format.
6.3.Optional: Enter a MAC address that matches the IP address, or leave the MAC address of the default port.
6.4.To add another address pair, repeat steps 6.1 through 6.3.
-
Click Save.
-
Add resolved addresses:
openstack port set \
--allowed-address ip-address=<ip_address>[,mac-address=<mac_address>] \
<port>Specify:
<ip_address>
— IP address or subnet. If you want to allow all IP addresses, enter subnet0.0.0.0/0
;- optional:
, mac-address=<mac_address>
is the MAC address corresponding to the IP address. The parameter<mac_address>
is the MAC address value. If you do not specify a MAC address, the default port MAC address will be used; <port>
— The port ID can be viewed with the commandopenstack port list
.
Remove authorized IP/MAC addresses from the port
Private subnet, global router subnet
Public subnet
Control panel
OpenStack CLI
-
In the Control panel, on the top menu, click Products and select Cloud Servers.
-
Go to Network → Private Networks tab.
-
Open the Network page → Ports tab.
-
In the port card, in the Security Groups field, click .
-
In the address pair row, click .
-
Click Save.
-
Remove the allowed addresses from the port. The IP/MAC address pair that was assigned when the port was created will remain allowed:
openstack port set \
--no-allowed-address \
<port>
Control panel
OpenStack CLI
-
In the dashboard, on the top menu, click Products and select Cloud Servers.
-
Go to Network → Public Subnets tab.
-
Open the subnet card → Ports tab.
-
On the port line, in the Security Groups field, click .
-
In the address pair row, click .
-
Click Save.
-
Remove the allowed addresses from the port. The IP/MAC address pair that was assigned when the port was created will remain allowed:
openstack port set \
--no-allowed-address \
<port>
Enable port
Private subnet, global router subnet
Public subnet
Control panel
OpenStack CLI
-
In the dashboard, on the top menu, click Products and select Cloud Servers.
-
Go to Network → Private Networks tab.
-
Open the Network page → Ports tab.
-
In the port card, enable the port.
-
Look at the list of ports in the subnet and copy the ID or name of the desired port:
openstack port list --fixed-ip subnet=<subnet>
Specify
<subnet>
— The ID or name of the subnet, can be viewed with theopenstack subnet list
command. -
Turn on the port:
openstack port set --enable <port>
Specify
<port>
— The port ID or name you copied in step 2.
Control panel
OpenStack CLI
-
In the dashboard, on the top menu, click Products and select Cloud Servers.
-
Go to Network → Public Networks tab.
-
Open the subnet card → Ports tab.
-
In the port line, enable the port.
-
Look at the list of ports in the subnet and copy the ID or name of the desired port:
openstack port list --fixed-ip subnet=<subnet>
Specify
<subnet>
— The ID or name of the subnet, can be viewed with theopenstack subnet list
command. -
Turn on the port:
openstack port set --enable <port>
Specify
<port>
— The port ID or name you copied in step 2.
Disable the port
Private subnet, global router subnet
Public subnet
Control panel
OpenStack CLI
-
In the dashboard, on the top menu, click Products and select Cloud Servers.
-
Go to Network → Private Networks tab.
-
Open the Network page → Ports tab.
-
In the port card, disable the port.
-
Look at the list of ports in the subnet and copy the ID or name of the desired port:
openstack port list --fixed-ip subnet=<subnet>
Specify
<subnet>
— The ID or name of the subnet, can be viewed with theopenstack subnet list
command. -
Disconnect the port:
openstack port set --disable <port>
Specify
<port>
— The port ID or name you copied in step 2.
Control panel
OpenStack CLI
-
In the dashboard, on the top menu, click Products and select Cloud Servers.
-
Go to Network → Public Networks tab.
-
Open the subnet card → Ports tab.
-
In the port row, disable the port.
-
Look at the list of ports in the subnet and copy the ID or name of the desired port:
openstack port list --fixed-ip subnet=<subnet>
Specify
<subnet>
— The ID or name of the subnet, can be viewed with theopenstack subnet list
command. -
Disconnect the port:
openstack port set --disable <port>
Specify
<port>
— The port ID or name you copied in step 2.
Delete port
Private subnet, global router subnet
Public subnet
Control panel
OpenStack CLI
-
In the dashboard, on the top menu, click Products and select Cloud Servers.
-
Go to Network → Private Networks tab.
-
Open the Network page → Ports tab.
-
In the port card, click .
If the button is inactive , a device that prohibits removal is connected to the port . Remove this device and return to step 1.
Use the instructions to remove the device:
-
Click Delete.
-
Look at the list of ports in the subnet and copy the ID or name of the desired port:
openstack port list --fixed-ip subnet=<subnet>
Specify
<subnet>
— The ID or name of the subnet, can be viewed with theopenstack subnet list
command. -
Delete the port:
openstack port delete <port>
Specify
<port>
— The port ID or name you copied in step 2.
Control panel
OpenStack CLI
-
In the dashboard, on the top menu, click Products and select Cloud Servers.
-
Go to Network → Public Networks tab.
-
Open the subnet card → Ports tab.
-
On the port line, click .
-
Click Delete.
-
Look at the list of ports in the subnet and copy the ID or name of the desired port:
openstack port list --fixed-ip subnet=<subnet>
Specify
<subnet>
— The ID or name of the subnet, can be viewed with theopenstack subnet list
command. -
Delete the port:
openstack port delete <port>
Specify
<port>
— The port ID or name you copied in step 2.