Example of configuring security groups for cloud servers on the same subnet

carefully

We do not recommend configuring security groups on existing networks where a load balancer or cloud database cluster is running, as this can cause the load balancer to fail and disrupt replication in the cluster. To avoid failures and data loss, to configure groups , create a new private network or public subnet and enable traffic filtering in it.:::

Purpose of customization⁠

Configure security groups for two cloud servers to restrict the servers from accessing each other and from accessing the servers from the Internet.

What you need to customize⁠

In the example, we used two cloud servers that are in the same pool to configure:

a web server is deployed on one server, the server is connected to the Internet via a public IP address;
a MySQL database is deployed on another server, which receives requests from the web server on standard port 3306.

Servers are added to one private subnet. Traffic filtering ( port security) is enabled on the private network and on the ports of servers on this network.

Customization result⁠

Two security groups are created and assigned to server ports:

for web server — the group allows incoming HTTP and HTTPS traffic from the Internet;
for server with database — the group allows incoming traffic from the web server to the standard database port.

All outgoing traffic from the servers is allowed.

Customization steps⁠

Control panel
OpenStack CLI
Terraform

1. Create a security group for the Web server⁠

In the Control panel, on the top menu, click Products and select Cloud Servers.
Go to the Security Groups section.
Click Create a security group.
Select the pool where the web server resides.
Create a rule that allows incoming HTTP traffic to the web server:

5.1 Click Add Inbound Rule.

5.2 Select the protocol — TCP.

5.3. Select the traffic source (Source) — CIDR and enter the default subnet IP address 0.0.0.0.0/0.

5.4. Enter the port (Dst. port) that is allowed to receive traffic — 80.

5.5 Optional: enter a comment for the rule.

5.6. Click Add.
Create a rule that allows HTTPS traffic to the web server:

6.1 Click Add Inbound Rule.

6.2 Select the protocol — TCP.

6.3 Select the traffic source (Source) — CIDR and enter the default subnet IP address 0.0.0.0.0/0.

6.4 Enter the port (Dst. port) on which traffic is allowed to be received, in the example, 443.

6.5 Optional: enter a comment for the rule.

6.6 Click Add.
In the Ports block, select the web server port to which the security group will be assigned. After the group is created, all active sessions that do not comply with the group's rules will be terminated on the port.
Enter a name for the group or leave the name created automatically.
Optional: enter a comment for the group.
Click Create a security group.

2. Create a security group for the database server⁠

In the dashboard, on the top menu, click Products and select Cloud Servers.
Go to the Security Groups section.
Click Create a security group.
Select the pool where the server with the database is located.
Create a rule that allows incoming traffic from the web server group:

5.1 Click Add Inbound Rule.

5.2 Select the protocol — TCP.

5.3 Select the traffic source (Source) — SG and select the security group you created for the web server.

5.4. Enter the port (Dst. port) that is allowed to receive traffic — 3306.

5.5 Optional: enter a comment for the rule.

5.6. Click Add.
In the Ports block, select the web server port to which the security group will be assigned. After the group is created, all active sessions that do not comply with the group's rules will be terminated on the port.
Enter a name for the group or leave the name created automatically.
Optional: enter a comment for the group.
Click Create a security group.

Open the OpenStack CLI.
Create a security group for the web server:
```
openstack security group create \
    --description "<description_1>" \
    <security_group_name_1>
```
Specify:
- <description_1> — description of the security group, e.g. Allow internet traffic for web server;
- <security_group_name_1> — security group name, e.g. web.
A group will be created with two rules that allow all outgoing traffic.
Create a rule that allows incoming HTTP traffic to the web server:
```
openstack security group rule create \
    --protocol tcp --dst-port 80 \
    --remote-ip 0.0.0.0/0 \
    <security_group_1>
```
Specify <security_group_1> — The ID or name of the security group that you created for the web server in step 2 can be viewed using the openstack security group list command.
Create a rule that allows HTTPS traffic to the web server:
```
openstack security group rule create \
    --protocol tcp --dst-port 443 \
    --remote-ip 0.0.0.0/0 \
    <security_group_1>
```
Specify <security_group_1> — The ID or name of the security group that you created for the web server in step 2 can be viewed using the openstack security group list command.
Create a security group for the server with the database:
```
openstack security group create \
    --description "<description_2>" \
    <security_group_name_2>
```
Specify:
- <description_2> — description of the security group, e.g. Allow traffic from web server group;
- <security_group_name_2> — security group name, e.g. database.
A group will be created with two rules that allow all outgoing traffic.
Create a rule that allows incoming traffic from the web server group:
```
openstack security group rule create \
    --protocol <protocol> --dst-port <port> \
    --remote-group <security_group_1> \
    <security_group_2>
```
Specify:
- <protocol> — protocol, in the example tcp;
- <port> — port on the server with the database on which it is allowed to receive traffic, in the example — 3306;
- <security_group_1> — The ID or name of the security group you created for the web server in step 2 can be viewed with the command openstack security group list;
- <security_group_2> — The ID or name of the security group you created for the database server in step 5.
On the web server port, assign the security group you created in step 2:
```
openstack port set \
    --security-group <security_group> \
    <port_1>
```
Specify:
- <security_group> — The ID or name of the security group you created in step 2 can be viewed with the command openstack security group list;
- <port_1> — The ID or port name of a web server on a private subnet can be viewed with the command openstack port list.
On the database server port, assign the security group you created in step 5:
```
openstack port set \
    --security-group <security_group> \
    <port_2>
```
Specify:
- <security_group> — The ID or name of the security group you created in step 5 can be viewed with the command openstack security group list;
- <port_2> — The ID or port name of a server with a database from a private subnet can be viewed with the command openstack port list.
Optional: check the groups that have been created:
```
openstack security group list
```
Optional: check the list of rules in the group:
```
openstack security group rule list <security_group>
```
Specify <security_group> — The ID or name of the group whose rules you want to view can be viewed using the openstack security group list command.

Example of configuring security groups for cloud servers on the same subnet

Purpose of customization⁠​

What you need to customize⁠​

Customization result⁠​

Customization steps⁠​

1. Create a security group for the Web server⁠​

2. Create a security group for the database server⁠​