Manage traffic filtering (port security)

Last update: May 29 2025

Manage traffic filtering (port security)

Traffic filtering is enabled by default on private networks and public subnets that are created:

• in the ru-8 pool after May 15, 2025;
• in the uz-2 pool after May 22, 2025;
• in the ru-9 pool after May 26, 2025;
• in the ke-1 pool after May 26, 2025;
• in the uz-1 pool after May 27, 2025;
• in the kz-1 pool after May 28, 2025;
• in the gis-1 pool after May 29, 2025.

You can't control filtering in these pools.

In pools ru-1, ru-2, ru-3, ru-7, filtering is turned off by default in existing and new networks, you can enable filtering in the network and turn off filtering if necessary.

Enable network traffic filtering⁠

carefully

We do not recommend enabling traffic filtering on existing networks running a load balancer or cloud database cluster, as this can cause the load balancer to fail and disrupt replication in the cluster. Create a new private network or public subnet and enable traffic filtering on it.:::

Once filtering is enabled on the network, all new ports on the network will be created with the default security group. You can assign a different security group when you create a port. You can also change the security groups on an existing port: disconnect the security group from the port and assign a different group to the port.

If there is a load balancer running on the network, it will need to be recreated through the helpdesk to apply the new network filtering settings on the service ports of the load balancer.

To enable filtering:

• on a private network that does not have a load balancer — use the OpenStack CLI;
• on the private network where the load balancer is running or on a public subnet, contact support.

Enable traffic filtering via Openstack CLI⁠

1. Make sure the network does not have a load balancer running:

   1.1 In the Control Panel, on the top menu, click Products and select Cloud Servers.

   1.2. Go to Network → Private Networks tab.

   1.3. Open the Network page → Ports tab.

   1.4 Make sure that there is no Balancer tagged port in the list of ports. If there is such a port, enable filtering through the support service. If there is no such port, go to step 2.

2. Open the OpenStack CLI.

3. Enable traffic filtering (port security) on the network:

   openstack network set \
     --enable-port-security \
     <network>

   Specify <network> — The network ID or name can be viewed using the openstack network list command.

4. If there are cloud server ports on your network, traffic filtering is not automatically enabled on those ports. To assign security groups to these ports, enable filtering separately for each port:

   openstack port set \
     --security-group <security_group> \
     --enable-port-security \
     <port>

   Specify:

   • <security_group> — The ID or name of the security group can be viewed with the command openstack security group list;
   • <port> — The port ID or name can be viewed with the command openstack port list.

Enable traffic filtering via support⁠

1. Create a ticket with a request to enable port security on the network. In the ticket, specify:

   • Network ID, can be copied in the control panel: from the top menu, click Products → Cloud Servers → Network → Public Networks or Private Networks tab;
   • if there is a load balancer in the network — the load balancer ID can be copied in the control panel: in the top menu click Products → Cloud Servers → Balancers.

2. We will contact you in a ticket and agree on the time to enable traffic filtering. If there is a load balancer running on the network, when filtering is enabled, the load balancer instances will be recreated, and the load balancer may be unavailable for up to 5 seconds.

3. Wait for a response in the ticket that traffic filtering is enabled.

4. If there are cloud server ports on the network, traffic filtering on them will not be enabled when network filtering is enabled. To assign security groups to these ports, enable filtering on them separately for each port:

   4.1 Open the OpenStack CLI.

   4.2 Enable filtering on each port:

   openstack port set \
     --security-group <security_group> \
     --enable-port-security \
     <port>

   Specify:

   • <security_group> — The ID or name of the security group can be viewed with the command openstack security group list;
   • <port> — The port ID or name can be viewed with the command openstack port list.

Turn off network traffic filtering⁠

To turn off filtering:

• on a private network that does not have a load balancer — use the OpenStack CLI;
• on the private network where the load balancer is running or on a public subnet, contact support.

Turn off traffic filtering via Openstack CLI⁠

1. Open the OpenStack CLI.

2. Turn off traffic filtering on the network:

   openstack network set \
     --disable-port-security \
     <network>

   Specify <network> — The network ID or name can be viewed using the openstack network list command.

3. Optional: if there are cloud server ports on the network created with traffic filtering enabled, filtering will not automatically turn off on them — turn off filtering on each port:

   3.1.Remove the security groups from the port:

   openstack port set \
     --no-security-group
     <port>

   Specify <port> — The port ID or name can be viewed using the openstack port list command.

   3.2.Turn off traffic filtering on the port:

   openstack port set \
     --disable-port-security \
     <port>

   Specify <port> — The port ID or name can be viewed using the openstack port list command.

Turn off traffic filtering via support service⁠

1. Create a ticket with a request to disable port security on the network. In the ticket, specify:

   • Network ID, can be copied in the control panel: from the top menu, click Products → Cloud Servers → Network → Private Networks or Public Networks tab;
   • if there is a load balancer running in the network — the load balancer ID can be copied in the control panel: in the top menu click Products → Cloud Servers → Balancers.

2. We will contact you in a ticket and agree on a time to turn off traffic filtering. If there is a load balancer running on the network, when filtering is turned off, the load balancer instances will be recreated and the load balancer may be unavailable for up to 5 seconds.

3. Wait for a response in the ticket that traffic filtering is turned off.

4. Optional: if there are cloud server ports on the network with traffic filtering enabled, filtering will not automatically turn off on them — turn off filtering on each port:

   4.1 Open the OpenStack CLI.

   4.2.Remove the security groups from the port:

   openstack port set \
     --disable-port-security \
     <port>

   Specify <port> — The port ID or name can be viewed using the openstack port list command.