Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version
  • Can you use OS::Neutron::Firewall instead of AWS::EC2::SecurityGroup? In general we expect users to use either the native Neutron resources (recommended), or the AWS-compatible VPC resources if portability when CFN is a concern

  • If you define the VpcId property of the AWS::EC2::SecurityGroup, Ref returns the security group ID, not name, does this solve your problem?

  • Can you use OS::Neutron::Firewall instead of AWS::EC2::SecurityGroup? In general we expect users to use either the native Neutron resources (recommended), or the AWS-compatible VPC resources if portability when CFN is a concern

Edit: Yes, OS::Neutron::Firewall provides perimeter firewall functionality, but I was thinking it could possibly solve your use-case as follows (disclaimer, I'm not a Neutron expert):

  • Modify the default security group for the project/tenant to allow the traffic required

  • Connect all instances to a Neutron subnet, which routes via a Neutron router to your external network

  • Configure the Neutron FWaaS on the router via OS::Neutron::Firewall to enforce the rules required outside the private subnet between instances/stacks

  • If you define the VpcId property of the AWS::EC2::SecurityGroup, Ref returns the security group ID, not name, does this solve your problem?

Edit: Re VpcId, you could use AWS::EC2::VPC to create the network/router and pass that into the security group, but just setting the VpcId property to AWS::EC2::SecurityGroup makes it use the neutron security group API instead of the nova one, which is probably what you want in this case. I agree, it's not a clean interface - what we probably need is a heat-native OS::Neutron::SecurityGroup resource.

  • Can you use OS::Neutron::Firewall instead of AWS::EC2::SecurityGroup? In general we expect users to use either the native Neutron resources (recommended), or the AWS-compatible VPC resources if portability when CFN is a concern

Edit: Yes, OS::Neutron::Firewall provides perimeter firewall functionality, but I was thinking it could possibly solve your use-case as follows (disclaimer, I'm not a Neutron expert):

  • Modify the default security group for the project/tenant to allow the traffic required

  • Connect all instances to a Neutron subnet, which routes via a Neutron router to your external network

  • Configure the Neutron FWaaS on the router via OS::Neutron::Firewall to enforce the rules required outside the private subnet between instances/stacks

  • If you define the VpcId property of the AWS::EC2::SecurityGroup, Ref returns the security group ID, not name, does this solve your problem?

Edit: Re VpcId, you could use AWS::EC2::VPC to create the network/router and pass that into the security group, but just setting the VpcId property to AWS::EC2::SecurityGroup makes it use the neutron security group API instead of the nova one, which is probably what you want in this case.

I agree, it's not a clean interface - what we probably need is a heat-native OS::Neutron::SecurityGroup resource.