Skip to main content

Assign a security group

To assign a security group to a port, traffic filtering (port security) must be enabled on the port's network. You can check the filtering status in the Control panel: in the top menu, click ProductsCloud ServersNetwork → the Private networks or Public networks tab. A network with enabled filtering is marked with .

When creating a port, a default security group named default is assigned to it. You can also specify a different security group when creating a port or server; it will be assigned instead of the default group.

You can assign a security group:

Assign a security group when creating a port

You can only assign a security group when creating a port if the port is in a public or private subnet. If you are configuring a port with a direct public IP address, first add the port to the server, then assign a security group to it.

  1. Open the OpenStack CLI.

  2. Create a port with a security group in a private or public subnet:

    openstack port create \
    --network <network> \
    --fixed-ip subnet=<subnet>,ip-address=<port_ip_address> \
    --security-group <security_group> \
    <port_name>

    Specify:

    • <network> — network ID or name, can be viewed using the openstack network list command. For a public subnet, it matches the <subnet> parameter;
    • <subnet> — subnet ID or name, can be viewed using the openstack subnet list;
    • <port_ip_address> — port IP address;
    • <security_group> — security group ID or name, can be viewed using the openstack security group list;
    • <port_name> — port name.
  3. Add a port to a server:

    openstack server add port <server> <port>

    Specify:

    • <server> — cloud server ID or name, can be viewed using the openstack server list;
    • <port> — the ID or name of the port you created in step 2, can be viewed using the openstack port list.

Assign a group to an existing cloud server port

warning

After assigning a group to a port, all active sessions that do not comply with the group rules will be dropped.

  1. In the Control panel, click Products in the top menu and select Cloud Servers.

  2. Open the server page → Ports tab.

  3. On the port card, in the security groups field, click .

  4. In the Security groups field, select the groups you want to assign to the port, or click New security group and create a group.

  5. Click Save.

Assign a group when creating a server

The group will only be assigned to ports created together with the server.

  1. Open the OpenStack CLI.

  2. Create a cloud server in a subnet specifying a security group:

    openstack server create \
    [--image <image> | --volume <volume> | --snapshot <snapshot>] \
    --flavor <flavor> \
    --availability-zone <pool_segment> \
    --nic net-id=<net_uuid> \
    --security-group <security_group> \
    --key-name <key_name> \
    <server_name>

    Specify:

    • source type:

      • --image <image> — to create a server from a pre-built or custom image. The <image> parameter is the image ID or name, which can be viewed using the openstack image list;
      • --volume <volume> — to create a server from a network volume. The <volume> parameter is the volume ID or name, which can be viewed using the openstack volume list;
      • --snapshot <snapshot> — to create a server from a snapshot. The <snapshot> parameter is the snapshot ID or name, which can be viewed using the openstack snapshot list;
    • <flavor> — flavor ID or name. Flavors correspond to cloud server configurations and determine the number of vCPU, RAM, and the local disk size (optional) of the server. You can use fixed configurations or create a custom flavor. For example, 1015 is the ID for creating a server with a fixed Standard configuration with 4 vCPU and 16 GB of RAM in the ru-9 pool. The list of flavors can be viewed using the openstack flavor list command or in the List of fixed configuration flavors across all pools table;

    • <pool_segment>pool segment where the cloud server will be created, e.g., ru-9a. The list of available pool segments can be viewed in the Availability matrix guide;

    • <net_uuid> — private or public network ID to which the server will connect, can be viewed using the openstack network list;

    • <key_name> — the name of the service user SSH key pair. If no SSH keys are created, generate them. You can view the list using the openstack keypair list;

    • <security_group> — security group ID or name, can be viewed using the openstack security group list;

    • optional: --block-device-mapping vdb=<extra_volume> — to add an additional volume. The <extra_volume> parameter is the additional volume ID or name, which can be viewed using the openstack volume list;

    • optional: --property x_cloud_smt_enabled=false — disable Hyper-Threading (SMT). If this parameter is not specified, Hyper-Threading (SMT) will be enabled by default. Can only be used with flavors that support dedicated cores. The list of flavors can be viewed in the List of fixed configuration flavors across all pools table;

    • optional: --property x_cloud_numa_nodes=1 — place resources on a single NUMA node. Can only be used with flavors that support dedicated cores. The list of flavors can be viewed in the List of fixed configuration flavors across all pools table;

    • optional: --tag <tag_name> --os-compute-api-version 2.52tag to add extra information about the server. The <tag_name> parameter is the tag name;

    • optional: --tag preemptible --os-compute-api-version 2.72 — tag to create a preemptible server;

    • optional: --user-data <user_data.file> — to specify a script to be executed on the first OS boot. The <user_data.file> parameter is the path to the Base64-encoded script. Example scripts can be found in the User data guide;

    • <server_name> — server name.