Configure the allowed IP/MAC addresses on the port
Port traffic with a security group can only be sent from a single IP/MAC address pair that is assigned at the adding a port to a subnet. If traffic from addresses not specified on the port is transmitted through the port, such traffic will be blocked. To allow traffic from addresses that are not specified on the port, you must add authorized IP/MAC addresses to the port settings.
For example, if you have self-deployed on a cloud server:
- VPN server — you need to allow all IP addresses (subnetwork
0.0.0.0/0
); - Kubernetes cluster with CNI Calico in Direct routing mode — you need to allow the subnet that is used in the cluster. No configuration is required for CNI Flannel.
If additional addresses are not needed, you can to remove them from the port.
Configuring allowed addresses is not required in clusters Managed Kubernetes, cloud databases, cloud-ready 1C and also on cloud servers created from images from the annexes. All the necessary settings for them have already been made.
Add Allowed IP/MAC Addresses
A maximum of 10 additional IP/MAC address pairs can be added per port.
Add Allowed Addresses per Port on a Private Subnet
Control panel
OpenStack CLI
-
in control panels from the top menu, press Products and select Cloud servers.
-
Go to the section Network → tab Private networks.
-
Open the network page → tab Ports.
-
In the port card, in the security groups field, click .
-
If you want to allow all IP addresses, click Allow all IP addresses for VPN. Traffic from the subnet will be allowed
0.0.0.0/0
with the default MAC address of the port. -
If you want to allow traffic from specific addresses:
6.1. Press Add an IP/MAC pair.
6.2 Enter the IP address or subnet in CIDR format.
6.3 Optional: Enter a MAC address that matches the IP address, or leave the MAC address of the default port.
6.4 To add another address pair, repeat steps 6.1 through 6.3.
-
Click Save.
-
Add resolved addresses:
openstack port set \
--allowed-address ip-address=<ip_address>[,mac-address=<mac_address>] \
<port>Specify:
<ip_address>
— IP address or subnet. If you want to allow all IP addresses, enter a subnet0.0.0.0/0
;- optional:
,mac-address=<mac_address>
- MAC address corresponding to the IP address. Parameter<mac_address>
— MAC address value. If you do not specify a MAC address, the port's primary MAC address will be used; <port>
— Port ID, can be viewed with the commandopenstack port list
.
Add Allowed Addresses per Port on a Public Subnet
Control panel
OpenStack CLI
-
in control panels from the top menu, press Products and select Cloud servers.
-
Go to the section Network → tab Public subnets.
-
Open the subnet card → tab Ports.
-
On the port line, in the field Security groups click .
-
If you want to allow all IP and MAC addresses, click Allow all IP addresses for VPN. Traffic from the subnet will be allowed
0.0.0.0/0
with the default MAC address of the port. -
If you want to allow traffic from specific addresses:
6.1. Press Add an IP/MAC pair.
6.2 Enter the IP address or subnet in CIDR format.
6.3 Optional: Enter a MAC address that matches the IP address, or leave the MAC address of the default port.
6.4 To add another address pair, repeat steps 6.1 through 6.3.
-
Click Save.
-
Add resolved addresses:
openstack port set \
--allowed-address ip-address=<ip_address>[,mac-address=<mac_address>] \
<port>Specify:
<ip_address>
— IP address or subnet. If you want to allow all IP addresses, enter a subnet0.0.0.0/0
;- optional:
,mac-address=<mac_address>
- MAC address corresponding to the IP address. Parameter<mac_address>
— MAC address value. If you do not specify a MAC address, the default MAC address of the port will be used; <port>
— Port ID, can be viewed with the commandopenstack port list
.
Delete Allowed IP/MAC Addresses
Remove allowed addresses from a port on a private subnet
Control panel
OpenStack CLI
-
in control panels from the top menu, press Products and select Cloud servers.
-
Go to the section Network → tab Private networks.
-
Open the network page → tab Ports.
-
In the port card, in the security groups field, click .
-
On the address pair line, click .
-
Click Save.
-
If you want to remove one IP address — MAC address pair:
openstack port unset \
--allowed-address ip-address=<ip-address>[,mac-address=<mac-address>] \
<port>Specify:
<ip_address>
— The IP address to be deleted;,mac-address=<mac_address>
- if the MAC address is to be removed with the IP address. Parameter<mac_address>
— MAC address value;<port>
— Port ID, can be viewed with the commandopenstack port list
.
-
If you want to remove all allowed addresses from a port:
openstack port set \
--no-allowed-address \
<port>
Remove authorized addresses from a port on a public subnet
Control panel
OpenStack CLI
-
in control panels from the top menu, press Products and select Cloud servers.
-
Go to the section Network → tab Public subnets.
-
Open the subnet card → tab Ports.
-
On the port line, in the field Security groups click .
-
On the address pair line, click .
-
Click Save.
-
If you want to remove one IP address — MAC address pair:
openstack port unset \
--allowed-address ip-address=<ip-address>[,mac-address=<mac-address>] \
<port>Specify:
<ip_address>
— The IP address to be deleted;,mac-address=<mac_address>
- if the MAC address is to be removed with the IP address. Parameter<mac_address>
— MAC address value;<port>
— Port ID, can be viewed with the commandopenstack port list
.
-
If you want to remove all allowed addresses from a port:
openstack port set \
--no-allowed-address \
<port>