Assign a security team
We do not recommend using security groups on existing networks, as this can cause load balancer failures and disrupt cloud database replication. To avoid failures and data loss, create a new private network or public subnet и enable port security traffic filtering at the network level..
If port security is enabled on the network, when a port is created on the network, it is assigned to the port default security group. You can also assign a security group explicitly when creating a port or server, it will be assigned instead of the default group.
You can assign a security group:
- to the port-- when creating a port or on an existing port;
- to the server-- at server creation or on an existing server.
Assign a security group when creating a port
OpenStack CLI
-
Create a port with a security group:
openstack port create \
--network <network> \
--fixed-ip subnet=<subnet>,ip-address=<port_ip_address> \
--security-group <security_group> \
--enable-port-security \
<port_name>Specify:
<network>— ID or network name, can be viewed with the commandopenstack network list. For a public subnet it is the same as the parameter<subnet>;<subnet>— ID or subnet name, can be viewed with the commandopenstack subnet list;<port_ip_address>— IP address of the port;<security_group>— ID or security group name, can be viewed using the commandopenstack security group list;<port_name>— port name.
-
Add a port to the server:
openstack server add port <server> <port>Specify:
<server>— The ID or name of the cloud server, can be viewed using the commandopenstack server list;<port>— The ID or name of the port you created in step 2 can be viewed using the commandopenstack port list.
Assign a group to an existing port
Once a group is assigned on a port, all active sessions that do not conform to the group rules will be terminated.
OpenStack CLI
-
Assign a security group to the port:
openstack port set \
--security-group <security_group> \
--enable-port-security \
<port>Specify:
<security_group>— ID or security group name, can be viewed using the commandopenstack security group list;<port>— ID or port name, can be viewed with the commandopenstack port list.
Assign a group when creating a server
The group will only be assigned to ports that are created with the server.
OpenStack CLI
-
Enable port security on the network where you will create the server:
openstack network set \
--enable-port-security \
<network>Specify
<network>— ID or network name, can be viewed withopenstack network list. -
Create a cloud server on the subnet by specifying a security group:
openstack server create \
[--image <image> | --volume <volume> | --snapshot <snapshot>] \
--flavor <flavor> \
--availability-zone <pool_segment> \
--nic net-id=<net_uuid> \
--security-group <security_group> \
--key-name <key_name> \
<server_name>Specify:
-
source type:
--image <image>— to create a server from finished or own image. Parameter<image>— ID or image name, can be viewed with the commandopenstack image list;--volume <volume>— to create a server from network drive. Parameter<volume>— ID or disk name can be viewed with the commandopenstack volume list;--snapshot <snapshot>— to create a server from snapshot. Parameter<snapshot>— ID or name of the snapshot can be viewed with the commandopenstack snapshot list;
-
<flavor>— The ID or name of the flavor. The flavors correspond to cloud server configurations and determine the number of vCPUs, RAM, and local disk size (optional) of the server. You can use fixed-configuration flavors or flavor. For example,4011— ID to create a Memory Line fixed-configuration server with 2 vCPUs, 16 GB RAM in a ru-9 pool. The list of flavors can be viewed using the commandopenstack flavor listor in a table List of fixed-configuration flavorings in all pools; -
<pool_segment>— pool segment where the cloud server will be created, e.g.ru-9a. The list of available pool segments can be found in the instructions Availability matrices; -
<net_uuid>— The ID of the private or public network to which the server will be connected can be viewed using the commandopenstack network list; -
<key_name>— the name of the service user's SSH key pair. If SSH keys have not been created, generate them. The list can be viewed withopenstack keypair list; -
<security_group>— ID or security group name, can be viewed using the commandopenstack security group list; -
optional:
--block-device-mapping vdb=<extra_volume>— to add an additional disk. Parameter<extra_volume>— ID or name of the additional disk can be viewed with the commandopenstack volume list; -
optional:
--tag <tag_name> --os-compute-api-version 2.52— tag to add additional information about the server. Parameter<tag_name>— tag name; -
optional:
--tag preemptible --os-compute-api-version 2.72— creation tag of an interrupted server; -
optional:
--user-data <user_data.file>— to specify a script to execute when the operating system is first booted. Parameter<user_data.file>— path to the script in Base64 encoding. Examples of scripts can be found in the instruction User data; -
<server_name>— server name.
-
Assign a group to an existing server
Once a group is assigned, all active sessions that do not conform to the group rules will be terminated on the server ports.
The security group will apply to existing server ports and will not be assigned to ports you add later.
OpenStack CLI
-
Enable port security on all ports on the server.
-
Assign a security group to the server:
openstack server add security group \
<server>
<security_group>Specify:
<server>— ID or server name, can be viewed with the commandopenstack server list;<security_group>— ID or security group name, can be viewed using the commandopenstack security group list.