Traffic restriction
For OpenStack ports, you can specify a list of IP addresses to use IP Source Guard. Only traffic whose source IP address is on this list will be sent through the port. This helps protect against IP spoofing attacks.
For example, you can allow:
- Only traffic from the virtual machine that uses the OpenStack port.
- All traffic that passes through the virtual machine (
0.0.0.0.0\0). This can be useful when the virtual machine is involved in processing traffic and is an intermediate network node (such as a router, firewall or VPN gateway).
A firewall can be used to restrict traffic on virtual networks.
The firewall handles traffic according to defined security groups. These groups contain rules for handling inbound and outbound traffic and operate according to the "anything not allowed is denied" principle. One or more security groups can be assigned:
- In VK Cloud personal account (only to OpenStack ports to which virtual machines are associated);
- via the OpenStack CLI (to any OpenStack ports).
You can either create your own security groups or use preconfigured groups that cannot be changed.
For security groups to work correctly:
-
Either use them in combination with a
defaultsecurity group that allows any outbound traffic.This applies to both pre-configured and custom security groups.
-
Or configure not only inbound but also outbound rules for them.
Default security group. This group is assigned to all OpenStack ports created within the network, including:
- ports to which virtual machines and other platform services connect;
- service ports that are created, for example, for a router or load balancer.
Allows:
- any outgoing traffic;
- any incoming traffic within a security group.