Difference between revisions of "Neutron/SecurityGroups"
< Neutron
m (ThierryCarrez moved page Quantum/SecurityGroups to Neutron/SecurityGroups) |
Shilla Saebi (talk | contribs) m (→Neutron Security Group) |
||
| (One intermediate revision by one other user not shown) | |||
| Line 1: | Line 1: | ||
| − | = | + | = Neutron Security Group = |
== Overview == | == Overview == | ||
| Line 5: | Line 5: | ||
* Backward compatible with Nova security groups (EC2 & existing nova deployments) | * Backward compatible with Nova security groups (EC2 & existing nova deployments) | ||
* Allows specifications of ingress and egress (Nova security groups defines ingress rules only) | * Allows specifications of ingress and egress (Nova security groups defines ingress rules only) | ||
| − | * Security groups are applied on | + | * Security groups are applied on neutron ports (Nova security groups are for instances) |
* Allows changing security group at runtime (after launching an instance) | * Allows changing security group at runtime (after launching an instance) | ||
| Line 14: | Line 14: | ||
== Behavior == | == Behavior == | ||
| − | The basic characteristics of | + | The basic characteristics of Neutron Security Groups are: |
* For ingress traffic (to an instance) | * For ingress traffic (to an instance) | ||
| Line 29: | Line 29: | ||
== Workflow scenarios == | == Workflow scenarios == | ||
| − | There are some options using | + | There are some options using Neutron security groups with Nova. |
If there are any other scenarios, please add them. | If there are any other scenarios, please add them. | ||
| − | * (A) Using | + | * (A) Using Neutron secgroup directly |
| − | *# Create a | + | *# Create a neutron port |
*# Associate security group with the port | *# Associate security group with the port | ||
*# Repeat the above if multiple vNICs are required. | *# Repeat the above if multiple vNICs are required. | ||
| − | *# Launch a VM passing port-id of the | + | *# Launch a VM passing port-id of the neutron port |
*# Now I got the VM where sg rules are applied. | *# Now I got the VM where sg rules are applied. | ||
* (B) Using nova secgroup proxy (same as traditional Nova approach) | * (B) Using nova secgroup proxy (same as traditional Nova approach) | ||
*# A user requests nova to launch an instance specifying security groups associated. | *# A user requests nova to launch an instance specifying security groups associated. | ||
| − | *# Nova creates | + | *# Nova creates neutron ports. |
| − | *# Nova associates | + | *# Nova associates neutron security groups with the ports |
*# Nova launches an instance with the ports created. | *# Nova launches an instance with the ports created. | ||
* Comparisons | * Comparisons | ||
** In scenario (B) we need to consider is how to specify a security group for each vNIC. One option is that a common security group is applied to all vNICs. | ** In scenario (B) we need to consider is how to specify a security group for each vNIC. One option is that a common security group is applied to all vNICs. | ||
| − | ** To use full | + | ** To use full neutron security group features like IP overlapping or egress filtering, scenario (A) is required. |
== Implementations == | == Implementations == | ||
| Line 54: | Line 54: | ||
* NVP plugin https://blueprints.launchpad.net/quantum/+spec/security-groups-nvp | * NVP plugin https://blueprints.launchpad.net/quantum/+spec/security-groups-nvp | ||
* NEC plugin https://blueprints.launchpad.net/quantum/+spec/nec-security-group | * NEC plugin https://blueprints.launchpad.net/quantum/+spec/nec-security-group | ||
| + | * PLUMgrid Plugin https://blueprints.launchpad.net/neutron/+spec/plumgrid-plugin-security-groups | ||
== References == | == References == | ||
Latest revision as of 14:13, 26 August 2014
Contents
Neutron Security Group
Overview
- Backward compatible with Nova security groups (EC2 & existing nova deployments)
- Allows specifications of ingress and egress (Nova security groups defines ingress rules only)
- Security groups are applied on neutron ports (Nova security groups are for instances)
- Allows changing security group at runtime (after launching an instance)
Proposals
- https://blueprints.launchpad.net/quantum/+spec/quantum-security-groups
- Folsom Summit http://www.slideshare.net/delapsley1/20120417-osdesignsummitsecuritygroupsdlapsleyfinal
Behavior
The basic characteristics of Neutron Security Groups are:
- For ingress traffic (to an instance)
- Only traffic matched with security group rules are allowed.
- When there is no rule defined, all traffic are dropped.
- For egress traffic (from an instance)
- Only traffic matched with security group rules are allowed.
- When there is no rule defined, all egress traffic are dropped.
- When a new security group is created, rules to allow all egress traffic are automatically added.
- "default security group" is defined for each tenant.
- For the default security group a rule which allows intercommunication among hosts associated with the default security group is defined by default.
- As a result, all egress traffic and intercommunication in the default group are allowed and all ingress from outside of the default group is dropped by default (in the default security group).
Workflow scenarios
There are some options using Neutron security groups with Nova. If there are any other scenarios, please add them.
- (A) Using Neutron secgroup directly
- Create a neutron port
- Associate security group with the port
- Repeat the above if multiple vNICs are required.
- Launch a VM passing port-id of the neutron port
- Now I got the VM where sg rules are applied.
- (B) Using nova secgroup proxy (same as traditional Nova approach)
- A user requests nova to launch an instance specifying security groups associated.
- Nova creates neutron ports.
- Nova associates neutron security groups with the ports
- Nova launches an instance with the ports created.
- Comparisons
- In scenario (B) we need to consider is how to specify a security group for each vNIC. One option is that a common security group is applied to all vNICs.
- To use full neutron security group features like IP overlapping or egress filtering, scenario (A) is required.
Implementations
- Linux Bridge plugin (with iptables) https://blueprints.launchpad.net/quantum/+spec/quantum-security-groups-iptables
- OVS plugin (with iptables)
- NVP plugin https://blueprints.launchpad.net/quantum/+spec/security-groups-nvp
- NEC plugin https://blueprints.launchpad.net/quantum/+spec/nec-security-group
- PLUMgrid Plugin https://blueprints.launchpad.net/neutron/+spec/plumgrid-plugin-security-groups
References
- Amazon VPC Security Groups : http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
- Amazon VPC FAQ http://aws.amazon.com/vpc/faqs/#S1
