Restrict access to the load balancer

You can restrict access to the load balancer — specify the IP addresses from which you are allowed to accept traffic.

The authorized IP addresses are specified in rule balancer and apply only to the port and traffic type that are specified in the rule.

The balancer's network must be enabled for authorized addresses to work traffic filtering (port security). If you enable traffic filtering in the network of an existing balancer, it may cause it to fail, so we recommend creating a new network with filtering, creating a balancer in it, and configuring balancing.

Create a private network.
Add a subnet to the private network.
Add servers to the subnet.
Create a load balancer.
Create a rule with an access restriction.
Create a task force.
If you specified a non-default security group when adding servers to the subnet, configure the security group on the servers.

1. Create a private network⁠

Open the OpenStack CLI.
Create a private network with traffic filtering enabled:
```
openstack network create --enable-port-security <network_name> 
```
Specify <network_name> — private network name.

2. Add a subnet to a private network⁠

Open the OpenStack CLI.
Create a subnet on the private network:
```
openstack subnet create \
  --subnet-range <cidr> \
  [--dhcp  | --no-dhcp] \
  --gateway <gateway> \
  --network <network> \
  <subnet_name>
```
Specify:
- <cidr> — CIDR of a private subnet, e.g. 192.168.0.0/24;
- DHCP option:
  - --dhcp — enable DHCP;
  - --no-dhcp — disable DHCP;
- <gateway> — IP address default gateway for example 192.168.0.2;
- <network> — The ID or name of the private network that previously created can be viewed with the command openstack network list;
- <subnet_name> — private subnet name.

3. Add servers to the subnet⁠

Open the OpenStack CLI.
Create a port on the subnet:
```
openstack port create \
  --network <network> \
  --fixed-ip subnet=<subnet>,ip-address=<port_ip_address> \
  --security-group <security_group> \
  <port_name>
```
Specify:
- <network> — The ID or name of the private network that you previously created can be viewed with the command openstack network list;
- <subnet> — The ID or name of the subnet you added to the network earlier can be viewed with the command openstack subnet list;
- <port_ip_address> — IP address of the port;
- <security_group> — ID or name security teams can be viewed with the command openstack security group list. If you do not specify a security group, the following will be assigned default security group;
- <port_name> — port name.
Add a port to the cloud server:
```
openstack server add port <server> <port>
```
Specify:
- <server> — The ID or name of the cloud server, can be viewed using the command openstack server list;
- <port> — ID or port name, can be viewed with the command openstack port list.
If traffic needs to be balanced across multiple servers, repeat steps 2-3 for each server.

4. Create a load balancer⁠

Open the OpenStack CLI.
Install the Octavia component to work with cloud load balancers — Yoga release version 3.4.0 is required for compatibility with the release version:
```
pip3 install python-octaviaclient===3.4.0
```
Create a load balancer:
```
openstack loadbalancer create \
  --vip-subnet-id <subnet_uuid> \
  --vip-address <loadbalancer_ip_address> \
  --flavor <flavor> \
  --name <loadbalancer_name>
```
Specify:
- <subnet_uuid> — The ID of the private subnet can be viewed with the command openstack subnet list;
- <loadbalancer_ip_address> — The IP address that will be allocated to the load balancer is one of the free ones in the subnet;
- <flavor> — The ID or name of the flavor. The flavors correspond to by load balancer type and determine the number of vCPUs, RAM, and the number of balancer instances. For example, ac18763b-1fc5-457d-9fa7-b0d339ffb336 — ID to create a balancer with type Advanced with reservation in the ru-9 pool. The list of flavors can be viewed using the command openstack loadbalancer flavor list -c id -c name or in a table List of load balancer flavorings in all pools;
- <loadbalancer_name> — balancer's name.
Check that the balancer is in statuses ONLINE (parameter operating_status in the command output) and ACTIVE (provisioning_status):
```
openstack loadbalancer show <loadbalancer>
```
Specify <loadbalancer> — ID or balancer name, the list can be viewed with the command openstack loadbalancer list.
Optional: connect a public IP address to the balancer:
```
openstack floating ip set --port <loadbalancer_port_uuid> <floating_ip>
```
Specify:
- <loadbalancer_port_uuid> — The balancer port ID can be viewed with the command openstack loadbalancer show <loadbalancer>parameter vip_port_id;
- <floating_ip> — public IP address.

5. Create a rule with access restriction⁠

For TCP or UDP traffic
For HTTP or HTTPS traffic

Open the OpenStack CLI.
Create a rule with an access restriction:
```
openstack loadbalancer listener create \
  --name <listener_name> \
  --protocol <protocol> \
  --protocol-port <port> \
  --allowed-cidr <allowed-cidr> \
  <loadbalancer>
```
Specify:
- <listener_name> — NAME OF RULE;
- <protocol> — protocol name: TCP or UDP;
- <port> — port number;
- <allowed-cidr> — subnet in CIDR format from which traffic is allowed to be received. If you want to specify multiple subnets, specify each subnet in a separate parameter --allowed-cidr;
- <loadbalancer> — ID or name of the load balancer. You can view the list using the command openstack loadbalancer list.

Open the OpenStack CLI.
Create a rule with an access restriction:
```
openstack loadbalancer listener create \
  --name <listener_name> \
  --protocol <protocol> \
  --protocol-port <port> \
  --allowed-cidr <allowed-cidr> \
  --default-tls-container=<certificate_uuid> \
  --default-pool <default_pool> \
  <loadbalancer>
```
Specify:
- <listener_name> — NAME OF RULE;
- <protocol> — protocol name: HTTP or TERMINATED\_HTTPS;
- <port> — port number;
- --default-tls-container=<certificate_uuid> — ID of the TLS(SSL)-certificate for HTTPS traffic termination on the balancer. Specify if you selected the protocol TERMINATED_HTTPS. You can copy it into control panels: from the top menu, press Products → The manager of secrets → tab Certificates → in the menu of the certificate, select Copy UUID. Read more about TLS(SSL)-certificates of the load balancer;
- optional: --default-pool <default_pool> — The default ID or name of the default target group to which traffic that does not fall under the HTTP Policies in the rule. If you do not specify a parameter, traffic that does not fall under the policy will be discarded. The list of groups can be viewed using the command openstack loadbalancer pool list. If you don't have the right target group, create it;
- <loadbalancer> — ID or name of the load balancer. You can view the list using the command openstack loadbalancer list.
Optional: create an HTTP policy in the rule. The policy can be created at any time after the rule is created.

6. Create a task force⁠

Open the OpenStack CLI.
Create a task force:
```
openstack loadbalancer pool create \
  --name <pool_name> \
  --lb-algorithm <algorithm> \
  --listener <listener_name> \
  --protocol <protocol>
```
Specify:
- <pool_name> — the name of the target group;
- <algorithm> — algorithm name: ROUND_ROBIN or LEAST_CONNECTIONS;
- <listener_name> — rule name, can be viewed with the command openstack loadbalancer listener list;
- <protocol> — protocol name.
Add the server to the target group:
```
openstack loadbalancer member create \
  --subnet-id <subnet_uuid> \
  --address <server_ip_address> \
  --protocol-port <port> \
  <pool_name>
```
Specify:
- <subnet_uuid> — The ID of the server's private or public subnet. The list can be viewed using the command openstack subnet list;
- <server_ip_address> — The IP address of the server from the specified subnet;
- <port> — port number;
- <pool_name> — the name of the target group you created in step 2.
Optional: create accessibility check:
```
openstack loadbalancer healthmonitor create \
  --delay <delay> \
  --timeout <timeout> \
  --max-retries <max_retries> \
  --max-retries-down <max_retries_down> \
  --type <type> \
  --http-method <http_method> \
  --url-path <url_path> \
  --expected-codes <codes> \
  <pool_name>
```
Specify:
- <delay> — the interval between checks in seconds;
- <timeout> — the time to wait for a response in seconds;
- <max_retries> — number of consecutive successful accesses, after which the server is brought back online;
- <max_retries_down> — number of unsuccessful requests in a row, after which the server is suspended;
- <type> — type of verification: HTTP, PING, TCP, TLS_HELLO, UDP_CONNECT;
- HTTP request parameters, if you have selected the check type — HTTP:
  - --http-method <http_method> — method of verification: GET, POST, DELETE, PUT, HEAD, OPTIONS, PATCH, CONNECT, TRACE;
  - --url-path <url_path> — query path without a domain name;
  - --expected-codes <codes> — expected response codes, separated by commas;
- <pool_name> — the name of the target group that you set in step 2.

7. Configure the security group on the servers⁠

If at adding servers to a subnet you have specified a non-default security group, customize the group — add rules to it that allow traffic from the balancer. To check which group is assigned to the ports and to see the list of rules in the group, use the following instructions View the security groups on the ports.

To configure a security group, use the instructions Example of configuring a security group for servers in a private network behind a load balancer.

Restrict access to the load balancer

1. Create a private network⁠​

2. Add a subnet to a private network⁠​

3. Add servers to the subnet⁠​

4. Create a load balancer⁠​

5. Create a rule with access restriction⁠​

6. Create a task force⁠​

7. Configure the security group on the servers⁠​