Example of configuring a security group for servers in a private network behind a load balancer

Last update: March 25 2025

Example of configuring a security group for servers in a private network behind a load balancer

carefully

We do not recommend configuring security groups on existing networks, as this can cause load balancer failures and disrupt cloud database replication. To avoid failures and data loss, to configure the groups create a new private network or public subnet и enable traffic filtering (port security) in it.

Purpose of customization⁠

Configure a security group to accept traffic from load balancer on the servers target group.

What you need to customize⁠

In the example, we used a cloud balancer and two cloud servers in one to configure it bullet.

The balancer and servers are located in the private subnet 172.16.0.0/28, online traffic filtering (port security) is enabled. Servers receive TCP traffic from the balancer on port 80, set up. accessibility checks with the PING type.

Customization result⁠

Created and assigned to servers a security group that allows incoming traffic and availability checks to be accepted from the balancer.

All outgoing traffic from the servers is allowed.

Customization steps⁠

Control panel

1. В control panels from the top menu, press Products and select Cloud servers.

2. Go to the section Security groups.

3. Click Create a security team.

4. Select pool where the target group's servers are located.

5. Create a rule in the group that will allow incoming traffic from the balancer.

   5.1. Press Add an incoming traffic rule.

   5.2 Select the protocol — TCP.

   5.3. Select the traffic source (Source) — 5.3. CIDR and enter the IP address of the balancer's subnet, in the example — 172.16.0.0/28. The balancer can recreate with a different IP address within a subnet, so you must specify the entire subnet as the traffic source.

   5.4 Enter the port (Dst. port) on which traffic is allowed to be received, in the example -80.

   5.5 Optional: enter a comment for the rule.

   5.6. Press Add.

6. Create a rule in the group that will allow availability checks from the balancer:

   6.1. Press Add an incoming traffic rule.

   6.2 Select the protocol — ICMP.

   6.3. Select the traffic source (Source) — 6.3. CIDR and enter the IP address of the balancer's subnet, in the example — 172.16.0.0/28. The balancer can recreate with a different IP address within a subnet, so you must specify the entire subnet as the traffic source.

   6.4 Optional: enter a comment for the rule.

   6.6. Press Add.

7. In the block Ports check the ports on the target group's servers to which the security group will be assigned. After the group is created, all active sessions that do not comply with the group rules will be terminated on the selected ports.

8. Enter a name for the group or leave the name created automatically.

9. Optional: enter a comment for the group.

10. Click Create a security team.

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a security group for cloud servers behind the balancer:

   openstack security group create \
       --description "<description>" \
       <security_group_name>

   Specify:

   • <description> — group description, e.g. load balancer target group tcp-80;
   • <security_group_name> — group name, e.g. target-group-tcp-80.

   A group will be created with two rules that allow all outbound traffic.

3. Create a rule in the group that will allow incoming traffic from the balancer. The balancer can be recreated with a different IP address within a subnet, so you must specify the entire subnet as the traffic source:

   openstack security group rule create \
       --protocol <protocol> --dst-port <port> \
       --remote-ip <ip_address> \
       <security_group>

   Specify:

   • <protocol> — the target group protocol, in the example — tcp;
   • <port> — the port on the target server to which traffic is allowed to be received, in the example — 80;
   • <ip_address> — The IP address or subnet from which traffic is allowed to be received, in the example — 172.16.0.0/28;
   • <security_group> — The ID or name of the security group you created in step 2 can be viewed using the command openstack security group list.

4. Create a rule in the group that will allow availability checks from the balancer:

   openstack security group rule create \
       --protocol <protocol> \
       --remote-ip <ip_address> \
       <security_group>

   Specify:

   • <protocol> — availability check protocol, in the example — icmp;
   • <ip_address> — The IP address or subnet from which traffic is allowed to be received, in the example — 172.16.0.0/28;
   • <security_group> — The ID or name of the security group you created in step 2 can be viewed using the command openstack security group list.

5. Assign the created security group to a port on each of the servers in the target group to which traffic from the balancer is sent:

   openstack port set \
       --security-group <security_group> \
       --enable-port-security \
       <port>

   Specify:

   • <security_group> — The ID or name of the security group you created in step 2 can be viewed using the command openstack security group list;
   • <port> — The ID or port name of a server from a private subnet, in the example, from a subnet 172.16.0.0/28can be viewed with the command openstack port list.

6. Optional: check the list of rules in the group:

   openstack security group rule list <security_group>

   Specify <security_group> — The ID or name of the security group you created in step 2 can be viewed using the command openstack security group list.

Terraform

Use the instructions Create a security group and assign it to a server port in the Terraform documentation.