Manage traffic filtering (port security)
Traffic filtering (port security) allows:
Traffic filtering is turned off by default on Selectel networks, you can enable network filtering.
If necessary, you will be able to filter out.
Enable network traffic filtering
We do not recommend enabling traffic filtering in existing networks where a load balancer or cluster is running cloud databases This can cause the balancer to fail and disrupt replication in the cluster. Create a new private network or public subnet and enable traffic filtering in it.
Once filtering is enabled on the network, all new ports on the network will be created with a default security group. You can assign a different security group when creating a port. You can also change security groups on an existing port: disconnect the security group from the port and assign another group to the port.
If there is a load balancer running on the network, it will need to be recreated through the helpdesk to apply the new network filtering settings on the service ports of the load balancer.
To enable filtering:
- on a private network that doesn't have a load balancer-- use the OpenStack CLI;
- on the private network on which the load balancer is running, or on a public subnet- contact support.
Enable traffic filtering via Openstack CLI
-
Make sure the network does not have a load balancer running:
1.1. in control panels from the top menu, press Products and select Cloud servers.
1.2 Go to the section Network → tab Private networks.
1.3. Open the network page → tab Ports.
1.4 Make sure that there is no tagged port in the port list. Balancer. If there is such a port, enable filtering through support. If there is no such port, go to step 2.
-
Enable traffic filtering (port security) on the network:
openstack network set \
--enable-port-security \
<network>Specify
<network>— ID or network name, can be viewed with the commandopenstack network list. -
If there are cloud server ports on your network, traffic filtering is not automatically enabled on those ports. To assign security groups to these ports, enable filtering separately for each port:
openstack port set \
--security-group <security_group> \
--enable-port-security \
<port>Specify:
<security_group>— ID or security group name, can be viewed using the commandopenstack security group list;<port>— ID or port name, can be viewed with the commandopenstack port list.
Enable traffic filtering via support
-
Create a ticket request to enable traffic filtering (port security) on the network. Specify in the ticket:
- network ID, can be copied to control panels: from the top menu, press Products → Cloud servers → Network → tab Public networks or Private networks;
- if there is a load balancer in the network — the load balancer ID, can be copied to the control panels: from the top menu, press Products → Cloud servers → Balancers.
-
We will contact you in a ticket and agree on the time to enable traffic filtering. If there is a load balancer running on the network, when filtering is enabled, the load balancer instances will be recreated, and the load balancer may be unavailable for up to 5 seconds.
-
Wait for a response in the ticket that traffic filtering is enabled.
-
If there are cloud server ports on the network, traffic filtering on them will not be enabled when network filtering is enabled. To assign security groups to these ports, enable filtering on them separately for each port:
4.1. Open the OpenStack CLI.
4.2 Enable filtering on each port:
openstack port set \
--security-group <security_group> \
--enable-port-security \
<port>Specify:
<security_group>— ID or security group name, can be viewed using the commandopenstack security group list;<port>— ID or port name, can be viewed with the commandopenstack port list.
Turn off network traffic filtering
To turn off filtering:
- on a private network that doesn't have a load balancer-- use the OpenStack CLI;
- on the private network on which the load balancer is running, or on a public subnet- contact support.
Turn off traffic filtering via Openstack CLI
-
Turn off traffic filtering on the network:
openstack network set \
--disable-port-security \
<network>Specify
<network>— ID or network name, can be viewed with the commandopenstack network list. -
Optional: if there are cloud server ports on the network created with traffic filtering enabled, filtering will not automatically turn off on them — turn off filtering on each port:
3.1 Remove security groups from the port:
openstack port set \
--no-security-group
<port>Specify
<port>— ID or port name, can be viewed with the commandopenstack port list.3.2 Turn off traffic filtering on the port:
openstack port set \
--disable-port-security \
<port>Specify
<port>— ID or port name, can be viewed with the commandopenstack port list.
Turn off traffic filtering via support service
-
Create a ticket request to turn off traffic filtering (port security) on the network. Specify in the ticket:
- network ID, can be copied to control panels: from the top menu, press Products → Cloud servers → Network → tab Private networks or Public networks;
- if there is a load balancer running in the network — the load balancer ID can be copied into the control panels: from the top menu, press Products → Cloud servers → Balancers.
-
We will contact you in a ticket and agree on a time to turn off traffic filtering. If there is a load balancer running on the network, when filtering is turned off, the load balancer instances will be recreated and the load balancer may be unavailable for up to 5 seconds.
-
Wait for a response in the ticket that traffic filtering is turned off.
-
Optional: if there are cloud server ports on the network with traffic filtering enabled, filtering will not automatically turn off on them — turn off filtering on each port:
4.1. Open the OpenStack CLI.
4.2 Remove security groups from the port:
openstack port set \
--disable-port-security \
<port>Specify
<port>— ID or port name, can be viewed with the commandopenstack port list.