Allowed address pairs


In the current realisation, security modules such as port security and security groups require packets to be sent/received from a virtual machine port that must have the fixed IP/MAC address of that virtual machine port. Additionally, a L2 or L3 transmission will send packets only on the basis of these fixed addresses.

Allowed address pairs enable the user to specify one or several mac_address/ip_address pairs (CIDR) that are allowed to pass through the port regardless of the subnet.

Adding allowed address pairs

Adding allowed address pairs enables other subnets to be specified, which are then permitted to pass through the port irrespective of the subnet (in which the port was created), e.g. a remote VPN subnetwork.

If you configure a site-to-site IPSec VPN tunnel, you will need to allow a remote subnetwork, defined by you in your phase 2 of configuration.

To add the additional parameter to the network port settings and to permit the functioning of the NAT, proceed as follows:


These actions are only necessary for internal ports of the instance that perform the function of a router.

  • Go to the ‘Network‘ tab.
  • Find the internal network there and select it by clicking on its name.
  • In the dialog that opens, select the ‘Ports‘ tab. Now choose the port for which we wish to add the additional setting by clicking on its name.
  • Now go to the ‘Allowed address pairs’ tab and click ‘Add allowed address pair’.
  • In the window that opens, enter into the ‘IP address or CIDR’ field. Leave the ‘MAC address’ field empty; this will be filled automatically.
  • Confirm the operation.