Restrict access to the load balancer

Restrict access to the load balancer

You can restrict access to the load balancer — specify the allowed IP addresses from which the load balancer will accept traffic.

Allowed IP addresses are specified in the balancer rule and apply only to the port and traffic type that are specified in the rule. You can specify allowed addresses when creating a rule or in an existing rule.

Port security must be enabled on the balancer network for allowed addresses to work.If you enable port security on an existing balancer network, it may cause the balancer to malfunction.We recommend creating a new network with filtering, creating a balancer on it, and configuring balancing.

Specify the allowed IP addresses in an existing rule⁠

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.

2. Go to Balancers → Balancers tab.

3. Open the balancer page.

4. Open the rule card.

5. If the card has an Allowed CIDR field, in that field:

   5.1 Click .

   5.2 Enter the allowed IP addresses or subnets, separated by commas.

   5.3 Click .

6. If the Allowed CIDRs field is not displayed, enable traffic filtering on the balancer network and repeat steps 1-5.

OpenStack CLI

1. Open the OpenStack CLI.

2. Verify that traffic filtering is enabled on the balancer network — the port_security_enabled field is set to true:

   openstack network show <network>

   If the field value is false, enable traffic filtering on the balancer network and return to step 1.

3. Specify the allowed IP addresses in the balancer rule:

   openstack loadbalancer listener set \
   --allowed-cidr <allowed_cidr>
   <listener>

   Specify:

   • <allowed_cidr> — IP address or subnet in CIDR format. If you want to specify multiple addresses, specify each address in a separate parameter --allowed-cidr;
   • <listener> — The ID or name of the rule. The list can be viewed with the command openstack loadbalancer listener list.