Ask Your Question
1

Are security groups applied at port or instance level?

asked 2017-05-24 04:09:40 -0500

GTIM gravatar image

I was wondering if security groups are applied at port or instance level. For example, if I have a VM with two ports connected to different networks, the security group could be either applied to a single port or to all ports.

I found that from Heat templates I could associate a security group at a port level, while using standard Horizon interface to create a VM (or standard CLI commands) or to modify the SG association, the security group is applied at VM level.

I would prefer to apply it at port level in order to have a finer control. Which is actual implementation behavior?

Thanks!

edit retag flag offensive close merge delete
add a comment

5 answers

Sort by ยป oldest newest most voted
1

answered 2017-06-05 10:31:50 -0500

Antonio G. gravatar image

If you create the VM through Horizon GUI (or from CLI with --security-group flag) SGs are applied to all VM ports. Associating SGs to ports on HOT template or using either old CLI command proposed by Rajesh or new CLI commad referenced here could provide more granular control.

edit flag offensive delete link more
add a comment
1

answered 2017-05-25 07:48:06 -0500

Rajesh Ramachandran gravatar image

Security groups are generally applied at the instance level. If there is a VM with two ports connected to different networks and security groups needs to be applied at port level, you can update the port with "neutron port-update"

neutron port-update --security-group <security group ID> <Port ID1>
neutron port-show <Port ID1> | grep -i security_groups (To check)
edit flag offensive delete link more
add a comment
0

answered 2017-05-25 06:43:44 -0500

Bernd Bausch gravatar image

Security groups are Neutron artefacts and are applied at port level. openstack port show displays a port's security groups, and you can add security groups to a port with openstack port set. I don't know if the GUI can do either.

edit flag offensive delete link more
add a comment
0

answered 2017-05-28 23:23:47 -0500

Praveen N gravatar image

The Access and Security Group rules are applied on to tap device of an instance.So it is at instance level. If suppose a VM is moved from one compute node to another, that tap device is also found migrated during the live migration of instance. This can be verified using commands like neutron port show or iptables -L in the compute node. Not pretty much sure about the mulitple networks for an instance. The below link may be of some help: https://www.rdoproject.org/networking...

edit flag offensive delete link more

Comments

To split hairs: The TAP device of an instance corresponds to the port that the instance uses to connect to the network. Also, there is no guarantee that all combinations of hypervisors and network drivers use TAP devices (although I don't know of any counterexample).

Bernd Bausch gravatar imageBernd Bausch ( 2017-05-29 02:20:23 -0500 )edit
add a comment
0

answered 2020-03-25 05:47:02 -0500

adduarte gravatar image

Old question but either way. BOTH. Security groups maybe applied to either vm instances or ports. Take a look here: https://superuser.openstack.org/articles/managing-port-level-security-openstack/ (https://superuser.openstack.org/artic...) for what they do on the port level.

edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

subscribe to rss feed

Stats

Asked: 2017-05-24 04:09:40 -0500

Seen: 2,799 times

Last updated: Jun 05 '17

Related questions

Adding rule to a security group using Horizon fails

Icehouse Nova API: Why are security groups repeated on server entry?

Problem with Security Groups JSON - Is this a bug?

How to change default security group ?

Error: Unable to retrieve security groups.

openstack security group issue

neutron security group entry only works after iptables alteration on instance

What's the difference between the attached devices compute:nova and compute:None in Neutron ports?

security group creation adds unrestricted egress rules by default?

keystone on CentOS 6.3