Assign a security group
To assign a security group to a port, traffic filtering (port security) must be enabled on the port's network. You can check the filtering status in the Control panel: in the top menu, click Products → Cloud Servers → Network → the Private networks or Public networks tab. A network with enabled filtering is marked with .
When creating a port, a default security group named default is assigned to it. You can also specify a different security group when creating a port or server; it will be assigned instead of the default group.
You can assign a security group:
- to a port — when creating a port or to an existing cloud server port;
- to a server — when creating a server.
Assign a security group when creating a port
You can only assign a security group when creating a port if the port is in a public or private subnet. If you are configuring a port with a direct public IP address, first add the port to the server, then assign a security group to it.
OpenStack CLI
-
Create a port with a security group in a private or public subnet:
openstack port create \--network <network> \--fixed-ip subnet=<subnet>,ip-address=<port_ip_address> \--security-group <security_group> \<port_name>Specify:
<network>— network ID or name, can be viewed using theopenstack network listcommand. For a public subnet, it matches the<subnet>parameter;<subnet>— subnet ID or name, can be viewed using theopenstack subnet list;<port_ip_address>— port IP address;<security_group>— security group ID or name, can be viewed using theopenstack security group list;<port_name>— port name.
-
Add a port to a server:
openstack server add port <server> <port>Specify:
<server>— cloud server ID or name, can be viewed using theopenstack server list;<port>— the ID or name of the port you created in step 2, can be viewed using theopenstack port list.
Assign a group to an existing cloud server port
After assigning a group to a port, all active sessions that do not comply with the group rules will be dropped.
Control panel
OpenStack CLI
-
In the Control panel, click Products in the top menu and select Cloud Servers.
-
Open the server page → Ports tab.
-
On the port card, in the security groups field, click .
-
In the Security groups field, select the groups you want to assign to the port, or click New security group and create a group.
-
Click Save.
Assign a group when creating a server
The group will only be assigned to ports created together with the server.
OpenStack CLI
-
Create a cloud server in a subnet specifying a security group:
openstack server create \[--image <image> | --volume <volume> | --snapshot <snapshot>] \--flavor <flavor> \--availability-zone <pool_segment> \--nic net-id=<net_uuid> \--security-group <security_group> \--key-name <key_name> \<server_name>Specify:
-
source type:
--image <image>— to create a server from a pre-built or custom image. The<image>parameter is the image ID or name, which can be viewed using theopenstack image list;--volume <volume>— to create a server from a network volume. The<volume>parameter is the volume ID or name, which can be viewed using theopenstack volume list;--snapshot <snapshot>— to create a server from a snapshot. The<snapshot>parameter is the snapshot ID or name, which can be viewed using theopenstack snapshot list;
-
<flavor>— flavor ID or name. Flavors correspond to cloud server configurations and determine the number of vCPU, RAM, and the local disk size (optional) of the server. You can use fixed configurations or create a custom flavor. For example,1015is the ID for creating a server with a fixed Standard configuration with 4 vCPU and 16 GB of RAM in the ru-9 pool. The list of flavors can be viewed using theopenstack flavor listcommand or in the List of fixed configuration flavors across all pools table; -
<pool_segment>— pool segment where the cloud server will be created, e.g.,ru-9a. The list of available pool segments can be viewed in the Availability matrix guide; -
<net_uuid>— private or public network ID to which the server will connect, can be viewed using theopenstack network list; -
<key_name>— the name of the service user SSH key pair. If no SSH keys are created, generate them. You can view the list using theopenstack keypair list; -
<security_group>— security group ID or name, can be viewed using theopenstack security group list; -
optional:
--block-device-mapping vdb=<extra_volume>— to add an additional volume. The<extra_volume>parameter is the additional volume ID or name, which can be viewed using theopenstack volume list; -
optional:
--property x_cloud_smt_enabled=false— disable Hyper-Threading (SMT). If this parameter is not specified, Hyper-Threading (SMT) will be enabled by default. Can only be used with flavors that support dedicated cores. The list of flavors can be viewed in the List of fixed configuration flavors across all pools table; -
optional:
--property x_cloud_numa_nodes=1— place resources on a single NUMA node. Can only be used with flavors that support dedicated cores. The list of flavors can be viewed in the List of fixed configuration flavors across all pools table; -
optional:
--tag <tag_name> --os-compute-api-version 2.52— tag to add extra information about the server. The<tag_name>parameter is the tag name; -
optional:
--tag preemptible --os-compute-api-version 2.72— tag to create a preemptible server; -
optional:
--user-data <user_data.file>— to specify a script to be executed on the first OS boot. The<user_data.file>parameter is the path to the Base64-encoded script. Example scripts can be found in the User data guide; -
<server_name>— server name.
-