Skip to main content
Example of configuring a security group for servers in a private network behind a load balancer
Last update:

Example of configuring a security group for servers in a private network behind a load balancer

Purpose of customization

Configure a security group to accept traffic from load balancer on the servers target group.

The balancer and the task force servers are located in the private subnet 172.16.0.0/28. Servers receive TCP traffic from the balancer on port 80, configured accessibility checks with the PING type.

You need to create a security group that allows servers to accept incoming traffic and availability checks from the balancer, then assign it to the servers. All outgoing traffic is allowed.

Customization steps

  1. Open the OpenStack CLI.

  2. Create a security group for cloud servers behind the balancer:

    openstack security group create \
      --description "<description>" \
      <security_group_name>

    Specify:

    • <description> — group description, e.g. load balancer target group tcp-80;
    • <security_group_name> — group name, e.g. target-group-tcp-80.

    A group will be created with two rules that allow all outbound traffic.

  3. Create a rule in the group that will allow incoming traffic from the balancer. The balancer can be recreated with a different IP address within a subnet, so you must specify the entire subnet as the traffic source:

    openstack security group rule create \
      --protocol <protocol> --dst-port <port> \
      --remote-ip <ip_address> \
      <security_group>

    Specify:

    • <protocol> — the target group protocol, in the example — tcp;
    • <port> — the port on the target server to which traffic is allowed to be received, in the example — 80;
    • <ip_address> — The IP address or subnet from which traffic is allowed to be received, in the example — 172.16.0.0/28;
    • <security_group> — The ID or name of the security group you created in step 2 can be viewed using the command openstack security group list.

  4. Create a rule in the group that will allow availability checks from the balancer:

    openstack security group rule create \
      --protocol <protocol> \
      --remote-ip <ip_address> \
      <security_group>

    Specify:

    • <protocol> — availability check protocol, in the example — icmp;
    • <ip_address> — The IP address or subnet from which traffic is allowed to be received, in the example — 172.16.0.0/28;
    • <security_group> — The ID or name of the security group you created in step 2 can be viewed using the command openstack security group list.

  5. Assign the created security group to a port on each of the servers in the target group to which traffic from the balancer is sent:

    openstack port set \
      --security-group <security_group> \
      --enable-port-security \
      <port>

    Specify:

    • <security_group> — The ID or name of the security group you created in step 2 can be viewed using the command openstack security group list;
    • <port> — The ID or port name of a server from a private subnet, in the example, from a subnet 172.16.0.0/28can be viewed with the command openstack port list.

  6. Optional: check the list of rules in the group:

    openstack security group rule list <security_group>

    Specify <security_group> — The ID or name of the security group you created in step 2 can be viewed using the command openstack security group list.