General information about security groups

General information about security groups

carefully

We do not recommend configuring security groups in existing networks where a load balancer or cluster is running cloud databases If you do not configure a group, it can cause the balancer to fail and disrupt replication in the cluster. To avoid failures and data loss, to configure the groups create a new private network or public subnet and turn on traffic filtering.

A security group is a set of rules for filtering traffic that is applied on the ports cloud servers within a single pool.

Unlike cloud firewall allows you to filter all traffic passing through a port, including traffic between devices on the same network and subnet.

You can work with safety groups in control panels with the help of OpenStack CLI.

Principle of operation⁠

A security group is assigned to one or all ports on a cloud server and filters incoming and outgoing port traffic according to specified rules. If there are no rules in the group, all traffic is discarded.

Safety groups must be enabled to operate traffic filtering (port security).

The security groups use objects from the OpenStack model:

• Security Group — A security group. It serves as a container for rules that allow traffic to pass through;
• Rule — rule in a security group. Allows traffic with certain parameters to pass through.

Safety groups can operate in one of the modes:

• stateful (default) — session stateful. If traffic has passed through the port and a session is established, return traffic within this session will pass even without a rule. The session timeout is 300 seconds;
• stateless — the session state is not taken into account.

You can specify the mode when group creation change the mode after creating a group.

Several security groups can operate on the same port. Their rules are applied simultaneously: if traffic matches at least one rule, it will be skipped.

Default security group⁠

In one project, a default security group is created for each pool with the name default. The default security group is assigned to a port when it is created, but you can assign another security team when creating a port or server. Default security groups are not automatically assigned on networks that have the following disabled traffic filtering (port security).

The default security group allows all inbound and outbound traffic and operates in stateful mode. To restrict traffic using the default group, you can manage the rules in the group by — deregulate and add new ones.

The default group cannot be deleted.

Rules⁠

Rules work on the permissive principle: if traffic matches at least one rule in the group, it will be allowed. The order of the rules does not matter.

The rule allows traffic based on request parameters:

• direction — inbound or outbound;
• Protocol — TCP, UDP, ICMP, AH, DCCP, EGP, ESP, GRE, IGMP, IPv6-ENCAP, IPv6-Frag, IPv6-ICMP, IPv6-NoNxt, IPv6-Opts, IPv6-Route, OSPF, PGM, RSVP, SCTP, UDP Lite, VRRP, IP-in-IP, or any protocol;
• port (for inbound and outbound traffic) — the port or range of ports to which a connection can be established. The ports on the device to which the group with the rule is assigned are specified;
• traffic source (for incoming traffic) — IP address, subnet, or other security group;
• traffic destination (for outgoing traffic) — IP address, subnet or other security group.

When you create a new security group, two rules are created in it by default that allow all outbound traffic. You can remove these rules and add new ones.

Traffic filtering (port security)⁠

Traffic filtering (port security) is a network function to protect against unauthorized access and attacks, which is required for security groups to work. Completely denies traffic unless a security group with authorizing rules is assigned to the port. Traffic filtering is disabled by default in all Servercore networks.

We recommend that for working with security groups, you create a new network and enable traffic filtering — in this case, all new ports on the network will be assigned to the default security group. You'll also be able to assign another security team when creating a port or server.

Traffic filtering allows only one fixed IP/MAC address pair for a port, so MAC/IP spoofing, VPN, VRRP and overlay networks will be blocked. If you are using solutions based on these, ports with a security group must be additionally configure the allowed IP/MAC addresses that can be used to send traffic through the port.

Limitations⁠

In one. project can be created:

• no more than 20 safety groups, taking into account default security groups;
• no more than 200 rules.

The number of security groups and rules on one port is limited by the project limit — no more than 20 groups, no more than 200 rules.

In Servercore, the default some TCP/UDP ports are blocked. If inbound or outbound traffic through the port is blocked by default, it will not pass through even if there is an allow rule.

Cost⁠

Safety groups are provided free of charge.