Are security groups applied at port or instance level?

asked 2017-05-24 04:09:40 -0500

GTIM gravatar image

I was wondering if security groups are applied at port or instance level. For example, if I have a VM with two ports connected to different networks, the security group could be either applied to a single port or to all ports.

I found that from Heat templates I could associate a security group at a port level, while using standard Horizon interface to create a VM (or standard CLI commands) or to modify the SG association, the security group is applied at VM level.

I would prefer to apply it at port level in order to have a finer control. Which is actual implementation behavior?


edit retag flag offensive close merge delete

5 answers

Sort by ยป oldest newest most voted

answered 2017-06-05 10:31:50 -0500

If you create the VM through Horizon GUI (or from CLI with --security-group flag) SGs are applied to all VM ports. Associating SGs to ports on HOT template or using either old CLI command proposed by Rajesh or new CLI commad referenced here could provide more granular control.

edit flag offensive delete link more

answered 2017-05-25 07:48:06 -0500

Rajesh Ramachandran gravatar image

Security groups are generally applied at the instance level. If there is a VM with two ports connected to different networks and security groups needs to be applied at port level, you can update the port with "neutron port-update"

neutron port-update --security-group <security group ID> <Port ID1>
neutron port-show <Port ID1> | grep -i security_groups (To check)
edit flag offensive delete link more

answered 2017-05-25 06:43:44 -0500

Security groups are Neutron artefacts and are applied at port level. openstack port show displays a port's security groups, and you can add security groups to a port with openstack port set. I don't know if the GUI can do either.

edit flag offensive delete link more

answered 2017-05-28 23:23:47 -0500

Praveen N gravatar image

The Access and Security Group rules are applied on to tap device of an instance.So it is at instance level. If suppose a VM is moved from one compute node to another, that tap device is also found migrated during the live migration of instance. This can be verified using commands like neutron port show or iptables -L in the compute node. Not pretty much sure about the mulitple networks for an instance. The below link may be of some help:

edit flag offensive delete link more


To split hairs: The TAP device of an instance corresponds to the port that the instance uses to connect to the network. Also, there is no guarantee that all combinations of hypervisors and network drivers use TAP devices (although I don't know of any counterexample).

Bernd Bausch gravatar imageBernd Bausch ( 2017-05-29 02:20:23 -0500 )edit

answered 2020-03-25 05:47:02 -0500

Old question but either way. BOTH. Security groups maybe applied to either vm instances or ports. Take a look here: ( for what they do on the port level.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools


Asked: 2017-05-24 04:09:40 -0500

Seen: 2,799 times

Last updated: Jun 05 '17