Example of configuring security groups for cloud servers on the same subnet

carefully

We do not recommend using security groups on existing networks, as this can cause load balancer failures and disrupt cloud database replication. To avoid failures and data loss, create a new private network or public subnet и enable traffic filtering (port security) in it.

Purpose of customization⁠

Configure security groups for two cloud servers to restrict the servers from accessing each other and from accessing the servers from the Internet.

What you need to customize⁠

In the example, we used two cloud servers that are in the same cloud server for configuration bullet:

A web server is deployed on one server, the server is connected to the Internet via a public IP address;
a MySQL database is deployed on another server, which receives requests from the web server on standard port 3306.

The servers have been added to one private subnet. On a private network and on the ports of servers on that network traffic filtering (port security) is enabled.

Customization result⁠

Two security groups are created and assigned to server ports:

for web server — the group allows incoming HTTP and HTTPS traffic from the Internet;
for server with database — the group allows incoming traffic from the web server to the standard database port.

All outgoing traffic from the servers is allowed.

Customization steps⁠

Control panel
OpenStack CLI
Terraform

1. Create a security group for the Web server⁠

В control panels from the top menu, press Products and select Cloud servers.
Go to the section Security groups.
Click Create a security team.
Select pool where the web server is located.
Create a rule that allows incoming HTTP traffic to the web server:

5.1. Press Add an incoming traffic rule.

5.2 Select the protocol — TCP.

5.3. Select the traffic source (Source) — 5.3. CIDR and enter the IP address of the default subnet 0.0.0.0/0.

5.4. Enter the port (Dst. port) on which you are allowed to receive traffic-80.

5.5 Optional: enter a comment for the rule.

5.6. Press Add.
Create a rule that allows HTTPS traffic to the web server:

6.1. Press Add an incoming traffic rule.

6.2 Select the protocol — TCP.

6.3. Select the traffic source (Source) — 6.3. CIDR and enter the IP address of the default subnet 0.0.0.0/0.

6.4 Enter the port (Dst. port) on which traffic is allowed to be received, in the example -443.

6.5 Optional: enter a comment for the rule.

6.6. Press Add.
In the block Ports check the web server port to which the security group will be assigned. After the group is created, all active sessions that do not comply with the group's rules will be terminated on the port.
Enter a name for the group or leave the name created automatically.
Optional: enter a comment for the group.
Click Create a security team.

2. Create a security group for the database server⁠

В control panels from the top menu, press Products and select Cloud servers.
Go to the section Security groups.
Click Create a security team.
Select pool where the database server is located.
Create a rule that allows incoming traffic from the web server group:

5.1. Press Add an incoming traffic rule.

5.2 Select the protocol — TCP.

5.3. Select the traffic source (Source) — 5.3. SG and select the security group you created for the web server.

5.4. Enter the port (Dst. port) on which you are allowed to receive the traffic -3306.

5.5 Optional: enter a comment for the rule.

5.6. Press Add.
In the block Ports check the web server port to which the security group will be assigned. After the group is created, all active sessions that do not comply with the group's rules will be terminated on the port.
Enter a name for the group or leave the name created automatically.
Optional: enter a comment for the group.
Click Create a security team.

Open the OpenStack CLI.
Create a security group for the web server:
```
openstack security group create \
    --description "<description_1>" \
    <security_group_name_1>
```
Specify:
- <description_1> — a description of the security group, e.g. Allow internet traffic for web server;
- <security_group_name_1>- the name of the security group, e.g. web.
A group will be created with two rules that allow all outbound traffic.
Create a rule that allows incoming HTTP traffic to the web server:
```
openstack security group rule create \
    --protocol tcp --dst-port 80 \
    --remote-ip 0.0.0.0/0 \
    <security_group_1>
```
Specify <security_group_1>- The ID or name of the security group you created for the web server in step 2 can be viewed using the command openstack security group list.
Create a rule that allows HTTPS traffic to the web server:
```
openstack security group rule create \
    --protocol tcp --dst-port 443 \
    --remote-ip 0.0.0.0/0 \
    <security_group_1>
```
Specify <security_group_1>- The ID or name of the security group you created for the web server in step 2 can be viewed using the command openstack security group list.
Create a security group for the server with the database:
```
openstack security group create \
    --description "<description_2>" \
    <security_group_name_2>
```
Specify:
- <description_2> — a description of the security group, e.g. Allow traffic from web server group;
- <security_group_name_2>- the name of the security group, e.g. database.
A group will be created with two rules that allow all outbound traffic.
Create a rule that allows incoming traffic from the web server group:
```
openstack security group rule create \
    --protocol <protocol> --dst-port <port> \
    --remote-group <security_group_1> \
    <security_group_2>
```
Specify:
- <protocol> — protocol, in the example tcp;
- <port> — port on the database server to which traffic is allowed to be received, in the example — 3306;
- <security_group_1> — The ID or name of the security group you created for the web server in step 2 can be viewed using the command openstack security group list;
- <security_group_2> — The ID or name of the security group you created for the database server in step 5.
On the web server port, assign the security group you created in step 2:
```
openstack port set \
    --security-group <security_group> \
    --enable-port-security \
    <port_1>
```
Specify:
- <security_group> — The ID or name of the security group you created in step 2 can be viewed using the command openstack security group list;
- <port_1> — The ID or port name of a web server from a private subnet can be viewed with the command openstack port list.
On the database server port, assign the security group you created in step 5:
```
openstack port set \
    --security-group <security_group> \
    --enable-port-security \
    <port_2>
```
Specify:
- <security_group> — The ID or name of the security group you created in step 5 can be viewed using the command openstack security group list;
- <port_2> — The ID or port name of a server with a database from a private subnet can be viewed using the command openstack port list.
Optional: check the groups that have been created:
```
openstack security group list
```
Optional: check the list of rules in the group:
```
openstack security group rule list <security_group>
```
Specify <security_group> — The ID or name of the group whose rules you want to view can be viewed using the command openstack security group list.

Example of configuring security groups for cloud servers on the same subnet

Purpose of customization⁠​

What you need to customize⁠​

Customization result⁠​

Customization steps⁠​

1. Create a security group for the Web server⁠​

2. Create a security group for the database server⁠​