Hi, If the VM device is attached directly to the switch then the traffic will not go through the seciruty groups. This is why there is the Hybrid VIF driver. The VM connection to the bridge is as follows: With the OVS plugin there is not external controller that builds the flows. This is addressed by a number of other plugins, for example, nicira, bigswitch, ryu etc. Thanks Gary