Manage port security

To assign a security group to a port, you must first enable the traffic filtering feature port security. You can enable port security for the network or on a separate port.

Enable port security on the network⁠

carefully

We do not recommend enabling port security on existing networks where the following works load balancer or cluster databases This can lead to balancer failures and disrupt cloud database replication. Create a new private network or public subnet and enable port security at the network level.

Enabling port security on a network will not affect its existing ports — the port security value on the ports will not change. On existing ports, you must enable port security separately for each port.

If port security is enabled at the network level, all new ports on the network will by default be created with port security enabled and default security group. You can assign a different security group when creating a port.

OpenStack CLI

Open the OpenStack CLI.
Enable port security for the network:
```
openstack network set \
  --enable-port-security \
  <network>
```
Specify <network> — ID or network name, can be viewed with the command openstack network list.

Enable port security on a port⁠

OpenStack CLI

Open the OpenStack CLI.
Enable port security for the port:
```
openstack port set \
  --security-group <security_group> \
  --enable-port-security \
  <port>
```
Specify:
- --security-group <security_group> — a security group that will allow traffic for the port where the <security_group> — ID or security group name, can be viewed using the command openstack security group list. If you do not assign a group, all port traffic will be blocked;
- <port> — ID or port name, can be viewed with the command openstack port list.

Disable port security on the network⁠

Disabling port security on a network will not affect its existing ports — the port security value on the ports will not change. On existing ports, you must disable port security separately for each port. New ports on the network will be created by default with port security disabled.

OpenStack CLI

Open the OpenStack CLI.
Turn off port security for the network:
```
openstack network set \
  --disable-port-security \
  <network>
```
Specify <network> — ID or network name, can be viewed with the command openstack network list.

Disable port security on a port⁠

Before disabling port security on a port, you must remove all security groups from the port.

OpenStack CLI

Open the OpenStack CLI.
Remove the security groups from the port:
```
openstack port set \
  --no-security-group
  <port>
```
Specify <port> — ID or port name, can be viewed with the command openstack port list.
Disable port security for the port:
```
openstack port set \
  --disable-port-security \
  <port>
```
Specify <port> — ID or port name, can be viewed with the command openstack port list.

Manage port security

Enable port security on the network⁠​

Enable port security on a port⁠​

Disable port security on the network⁠​

Disable port security on a port⁠​

Enable port security on the network⁠

Enable port security on a port⁠

Disable port security on the network⁠

Disable port security on a port⁠