Ask Your Question
1

Are security groups applied at port or instance level?

asked 2017-05-24 04:09:40 -0500

GTIM gravatar image

I was wondering if security groups are applied at port or instance level. For example, if I have a VM with two ports connected to different networks, the security group could be either applied to a single port or to all ports.

I found that from Heat templates I could associate a security group at a port level, while using standard Horizon interface to create a VM (or standard CLI commands) or to modify the SG association, the security group is applied at VM level.

I would prefer to apply it at port level in order to have a finer control. Which is actual implementation behavior?

Thanks!

edit retag flag offensive close merge delete
add a comment

4 answers

Sort by ยป oldest newest most voted
1

answered 2017-06-05 10:31:50 -0500

Antonio G. gravatar image

If you create the VM through Horizon GUI (or from CLI with --security-group flag) SGs are applied to all VM ports. Associating SGs to ports on HOT template or using either old CLI command proposed by Rajesh or new CLI commad referenced here could provide more granular control.

edit flag offensive delete link more
add a comment
1

answered 2017-05-25 07:48:06 -0500

Rajesh Ramachandran gravatar image

Security groups are generally applied at the instance level. If there is a VM with two ports connected to different networks and security groups needs to be applied at port level, you can update the port with "neutron port-update"

neutron port-update --security-group <security group ID> <Port ID1>
neutron port-show <Port ID1> | grep -i security_groups (To check)
edit flag offensive delete link more
add a comment
0

answered 2017-05-28 23:23:47 -0500

Praveen N gravatar image

The Access and Security Group rules are applied on to tap device of an instance.So it is at instance level. If suppose a VM is moved from one compute node to another, that tap device is also found migrated during the live migration of instance. This can be verified using commands like neutron port show or iptables -L in the compute node. Not pretty much sure about the mulitple networks for an instance. The below link may be of some help: https://www.rdoproject.org/networking...

edit flag offensive delete link more

Comments

To split hairs: The TAP device of an instance corresponds to the port that the instance uses to connect to the network. Also, there is no guarantee that all combinations of hypervisors and network drivers use TAP devices (although I don't know of any counterexample).

Bernd Bausch gravatar imageBernd Bausch ( 2017-05-29 02:20:23 -0500 )edit
add a comment
0

answered 2017-05-25 06:43:44 -0500

Bernd Bausch gravatar image

Security groups are Neutron artefacts and are applied at port level. openstack port show displays a port's security groups, and you can add security groups to a port with openstack port set. I don't know if the GUI can do either.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

subscribe to rss feed

Stats

Asked: 2017-05-24 04:09:40 -0500

Seen: 1,702 times

Last updated: Jun 05 '17

Related questions

Pike : is there any change in security group behavior from ocata to pike

Deleting a project leaves associated routers and instances behind

openstack CLI through external restrictive firewalls

ERROR (HTTPNotImplemented): Network driver does not support this function. (HTTP 501) message seen on running the "nova secgroup-list-default-rules" command

What's the difference between the attached devices compute:nova and compute:None in Neutron ports?

where do unused network ports come from

Enable ports of neutron subnet and inetrface of a router

neutron security group entry only works after iptables alteration on instance

Security Group Not Working [closed]

Identical Ingress and egress security group rule where remote is the security group itself