Example of configuring a security group for servers in a private network behind a load balancer

Last update: May 29 2025

Example of configuring a security group for servers in a private network behind a load balancer

carefully

We do not recommend configuring security groups on existing networks where a load balancer or cloud database cluster is running, as this can cause the load balancer to fail and disrupt replication in the cluster. To avoid failures and data loss, to configure groups , create a new private network or public subnet and enable traffic filtering in it.:::

Purpose of customization⁠

Configure the security group to accept traffic from the load balancer on the target group servers.

What you need to customize⁠

In the example, we used a cloud balancer and two cloud servers in the same pool for configuration.

The balancer and servers are located in a private subnet 172.16.0.0.0/28, traffic filtering (port security) is enabled in the network . Servers receive TCP traffic from the balancer on port 80, availability checks with PING type are configured.

Customization result⁠

Created and assigned to servers a security group that allows incoming traffic and availability checks to be accepted from the balancer.

All outgoing traffic from the servers is allowed.

Customization steps⁠

Control panel

1. In the dashboard, on the top menu, click Products and select Cloud Servers.

2. Go to the Security Groups section.

3. Click Create a security group.

4. Select the pool where the target group's servers reside.

5. Create a rule in the group that will allow incoming traffic from the balancer.

   5.1 Click Add Inbound Rule.

   5.2 Select the protocol — TCP.

   5.3 Select the traffic source (Source) — CIDR and enter the IP address of the balancer subnet, in the example — 172.16.0.0/28. The balancer can be recreated with a different IP address within a subnet, so you must specify the entire subnet as the traffic source.

   5.4 Enter the port (Dst. port) on which traffic is allowed to be received, in the example, 80.

   5.5 Optional: enter a comment for the rule.

   5.6. Click Add.

6. Create a rule in the group that will allow availability checks from the balancer:

   6.1 Click Add Inbound Rule.

   6.2 Select the protocol — ICMP.

   6.3 Select the traffic source (Source) — CIDR and enter the IP address of the balancer subnet, in the example — 172.16.0.0/28. The balancer can be recreated with a different IP address within a subnet, so you must specify the entire subnet as the traffic source.

   6.4 Optional: enter a comment for the rule.

   6.6 Click Add.

7. In the Ports block, select the ports on the target group's servers to which the security group will be assigned. After the group is created, all active sessions that do not comply with the group rules will be terminated on the selected ports.

8. Enter a name for the group or leave the name created automatically.

9. Optional: enter a comment for the group.

10. Click Create a security group.

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a security group for cloud servers behind the balancer:

   openstack security group create \
       --description "<description>" \
       <security_group_name>

   Specify:

   • <description> — group description, e.g. load balancer target group tcp-80;
   • <security_group_name> — group name, for example target-group-tcp-80.

   A group will be created with two rules that allow all outgoing traffic.

3. Create a rule in the group that will allow incoming traffic from the balancer. The balancer can be recreated with a different IP address within a subnet, so you must specify the entire subnet as the traffic source:

   openstack security group rule create \
       --protocol <protocol> --dst-port <port> \
       --remote-ip <ip_address> \
       <security_group>

   Specify:

   • <protocol> — protocol of the target group, in the example — tcp;
   • <port> — port on the target server to which traffic is allowed to be received, in the example — 80;
   • <ip_address> — The IP address or subnet from which traffic is allowed to be received, in the example — 172.16.0.0/28;
   • <security_group> — The ID or name of the security group you created in step 2 can be viewed with the command openstack security group list.

4. Create a rule in the group that will allow availability checks from the balancer:

   openstack security group rule create \
       --protocol <protocol> \
       --remote-ip <ip_address> \
       <security_group>

   Specify:

   • <protocol> — protocol for accessibility checks, in the example — icmp;
   • <ip_address> — The IP address or subnet from which traffic is allowed to be received, in the example — 172.16.0.0/28;
   • <security_group> — The ID or name of the security group you created in step 2 can be viewed with the command openstack security group list.

5. Assign the created security group to a port on each of the servers in the target group to which traffic from the balancer is sent:

   openstack port set \
       --security-group <security_group> \
       <port>

   Specify:

   • <security_group> — The ID or name of the security group you created in step 2 can be viewed with the command openstack security group list;
   • <port> — ID or port name of the server from a private subnet, in the example, from the following subnet 172.16.0.0/28, you can view it with the command openstack port list.

6. Optional: check the list of rules in the group:

   openstack security group rule list <security_group>

   Specify <security_group> — The ID or name of the security group you created in step 2 can be viewed using the openstack security group list command.

Terraform

Use the instructions Create a security group and assign it to a server port in the Terraform documentation.