Jump to: navigation, search

Difference between revisions of "Neutron/SecurityGroups"

m (ThierryCarrez moved page Quantum/SecurityGroups to Neutron/SecurityGroups)
Line 54: Line 54:
* NVP plugin https://blueprints.launchpad.net/quantum/+spec/security-groups-nvp
* NVP plugin https://blueprints.launchpad.net/quantum/+spec/security-groups-nvp
* NEC plugin https://blueprints.launchpad.net/quantum/+spec/nec-security-group
* NEC plugin https://blueprints.launchpad.net/quantum/+spec/nec-security-group
* PLUMgrid Plugin https://blueprints.launchpad.net/neutron/+spec/plumgrid-plugin-security-groups
== References ==
== References ==

Revision as of 20:57, 2 April 2014

Quantum Security Group


  • Backward compatible with Nova security groups (EC2 & existing nova deployments)
  • Allows specifications of ingress and egress (Nova security groups defines ingress rules only)
  • Security groups are applied on quantum ports (Nova security groups are for instances)
  • Allows changing security group at runtime (after launching an instance)



The basic characteristics of Quantum Security Groups are:

  • For ingress traffic (to an instance)
    • Only traffic matched with security group rules are allowed.
    • When there is no rule defined, all traffic are dropped.
  • For egress traffic (from an instance)
    • Only traffic matched with security group rules are allowed.
    • When there is no rule defined, all egress traffic are dropped.
    • When a new security group is created, rules to allow all egress traffic are automatically added.
  • "default security group" is defined for each tenant.
    • For the default security group a rule which allows intercommunication among hosts associated with the default security group is defined by default.
    • As a result, all egress traffic and intercommunication in the default group are allowed and all ingress from outside of the default group is dropped by default (in the default security group).

Workflow scenarios

There are some options using Quantum security groups with Nova. If there are any other scenarios, please add them.

  • (A) Using Quantum secgroup directly
    1. Create a quantum port
    2. Associate security group with the port
    3. Repeat the above if multiple vNICs are required.
    4. Launch a VM passing port-id of the quantum port
    5. Now I got the VM where sg rules are applied.
  • (B) Using nova secgroup proxy (same as traditional Nova approach)
    1. A user requests nova to launch an instance specifying security groups associated.
    2. Nova creates quantum ports.
    3. Nova associates quantum security groups with the ports
    4. Nova launches an instance with the ports created.
  • Comparisons
    • In scenario (B) we need to consider is how to specify a security group for each vNIC. One option is that a common security group is applied to all vNICs.
    • To use full quantum security group features like IP overlapping or egress filtering, scenario (A) is required.