Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Each tenant automatically gets their own security group named 'default'. It has rules (by default) that allow all egress traffic from ports assigned to it, and to accept all ingress traffic coming from other ports that are also assigned to it. So if a user boots two instances on the same network with their ports assigned to the default security group, then the two instances will be able to make any outward connection, and they will have full unrestricted access to each other. The default policy is deny, so everything else will be blocked.

Also note that if two different tenants each boot an instance to a shared network with their 'default' group, then the instances won't be able to talk.

https://wiki.openstack.org/wiki/Neutron/SecurityGroups

http://docs.openstack.org/trunk/openstack-network/admin/content/securitygroups.html