Restrict access to the load balancer
You can restrict access to the load balancer — specify the allowed IP addresses from which the load balancer will accept traffic.
The authorized IP addresses are specified in rule balancer and apply only to the port and traffic type that are specified in the rule. You can specify the allowed addresses when rule making or in existing rule.
The balancer's network must be enabled for authorized addresses to work traffic filtering (port security). If you enable traffic filtering on the network of an existing balancer, it may cause the balancer to malfunction. We recommend that you create a new network with filtering, create a balancer in it, and configure balancing.
Specify the allowed IP addresses in an existing rule
Control panel
OpenStack CLI
-
in control panels from the top menu, press Products and select Cloud servers.
-
Go to the section Balancers → tab Balancers.
-
Open the balancer page.
-
Open the rule card.
-
If there is a field in the card Authorized CIDRsin this field:
5.1. Press .
5.2 Enter the authorized IP addresses or subnets, separated by commas.
5.3. Press .
-
If the field Authorized CIDRs is not displayed, enable traffic filtering on the balancer network and repeat steps 1-5.
-
Make sure that traffic filtering is enabled on the balancer network — in the field
port_security_enabledsignificancetrue:openstack network show <network>If the field value is
false, enable traffic filtering on the balancer network and go back to step 1. -
Specify the allowed IP addresses in the balancer rule:
openstack loadbalancer listener set \
--allowed-cidr <allowed_cidr>
<listener>Specify:
<allowed_cidr>— IP address or subnet in CIDR format. If you want to specify multiple addresses, specify each address in a separate parameter--allowed-cidr;<listener>— ID or name of the rule. The list can be viewed using the commandopenstack loadbalancer listener list.