Skip to main content
Example of configuring security groups for cloud servers on the same subnet
Last update:

Example of configuring security groups for cloud servers on the same subnet

Purpose of customization

Configure security groups for two cloud servers to restrict the servers from accessing each other and from accessing the servers from the Internet.

A web server is deployed on one of the servers, the server is connected to the Internet via a public IP address. The other server deploys a MySQL database that accepts requests from the web server on standard port 3306. The servers are located in the same bullet and added to one private subnet.

You need to create security groups and assign them to servers:

  • for the web server — the group allows incoming traffic from the Internet;
  • for server with database — the group allows incoming traffic from the web server to the standard database port.

All outgoing traffic is allowed.

Customization steps

  1. Open the OpenStack CLI.

  2. Create a security group for the web server:

    openstack security group create \
      --description "<description_1>" \
      <security_group_name_1>

    Specify:

    • <description_1> — a description of the security group, e.g. Allow internet traffic for web server;
    • <security_group_name_1>- the name of the security group, e.g. web.

    A group will be created with two rules that allow all outgoing traffic.

  3. Create a rule that allows incoming HTTP traffic to the web server:

    openstack security group rule create \
      --protocol tcp --dst-port 80 \
      --remote-ip 0.0.0.0/0 \
      <security_group_1>

    Specify <security_group_1>- The ID or name of the security group you created for the web server in step 2 can be viewed using the command openstack security group list.

  4. Create a rule that allows HTTPS traffic to the web server:

    openstack security group rule create \
      --protocol tcp --dst-port 443 \
      --remote-ip 0.0.0.0/0 \
      <security_group_1>

    Specify <security_group_1>- The ID or name of the security group you created for the web server in step 2 can be viewed using the command openstack security group list.

  5. Create a security group for the server with the database:

    openstack security group create \
      --description "<description_2>" \
      <security_group_name_2>

    Specify:

    • <description_2> — a description of the security group, e.g. Allow traffic from web server group;
    • <security_group_name_2>- the name of the security group, e.g. database.

    A group will be created with two rules that allow all outbound traffic.

  6. Create a rule that allows incoming traffic from the web server group:

    openstack security group rule create \
      --protocol <protocol> --dst-port <port> \
      --remote-group <security_group_1> \
      <security_group_2>

    Specify:

    • <protocol> — protocol, in the example tcp;
    • <port> — port on the database server to which traffic is allowed to be received, in the example — 3306;
    • <security_group_1> — The ID or name of the security group you created for the web server in step 2 can be viewed using the command openstack security group list;
    • <security_group_2> — The ID or name of the security group you created for the database server in step 5.

  7. On the web server port, assign the security group you created in step 2:

    openstack port set \
      --security-group <security_group> \
      --enable-port-security \
      <port_1>

    Specify:

    • <security_group> — The ID or name of the security group you created in step 2 can be viewed using the command openstack security group list;
    • <port_1> — The ID or port name of a web server from a private subnet can be viewed with the command openstack port list.

  8. On the database server port, assign the security group you created in step 5:

    openstack port set \
      --security-group <security_group> \
      --enable-port-security \
      <port_2>

    Specify:

    • <security_group> — The ID or name of the security group you created in step 5 can be viewed using the command openstack security group list;
    • <port_2> — The ID or port name of a server with a database from a private subnet can be viewed using the command openstack port list.

  9. Optional: check the groups that have been created:

    openstack security group list

  10. Optional: check the list of rules in the group:

    openstack security group rule list <security_group>

    Specify <security_group> — The ID or name of the group whose rules you want to view can be viewed using the command openstack security group list.