Ask Your Question
1

Are security groups applied at port or instance level?

asked 2017-05-24 04:09:40 -0600

GTIM gravatar image

I was wondering if security groups are applied at port or instance level. For example, if I have a VM with two ports connected to different networks, the security group could be either applied to a single port or to all ports.

I found that from Heat templates I could associate a security group at a port level, while using standard Horizon interface to create a VM (or standard CLI commands) or to modify the SG association, the security group is applied at VM level.

I would prefer to apply it at port level in order to have a finer control. Which is actual implementation behavior?

Thanks!

edit retag flag offensive close merge delete
add a comment

4 answers

Sort by ยป oldest newest most voted
1

answered 2017-06-05 10:31:50 -0600

Antonio G. gravatar image

If you create the VM through Horizon GUI (or from CLI with --security-group flag) SGs are applied to all VM ports. Associating SGs to ports on HOT template or using either old CLI command proposed by Rajesh or new CLI commad referenced here could provide more granular control.

edit flag offensive delete link more
add a comment
1

answered 2017-05-25 07:48:06 -0600

Rajesh Ramachandran gravatar image

Security groups are generally applied at the instance level. If there is a VM with two ports connected to different networks and security groups needs to be applied at port level, you can update the port with "neutron port-update"

neutron port-update --security-group <security group ID> <Port ID1>
neutron port-show <Port ID1> | grep -i security_groups (To check)
edit flag offensive delete link more
add a comment
0

answered 2017-05-28 23:23:47 -0600

Praveen N gravatar image

The Access and Security Group rules are applied on to tap device of an instance.So it is at instance level. If suppose a VM is moved from one compute node to another, that tap device is also found migrated during the live migration of instance. This can be verified using commands like neutron port show or iptables -L in the compute node. Not pretty much sure about the mulitple networks for an instance. The below link may be of some help: https://www.rdoproject.org/networking...

edit flag offensive delete link more

Comments

To split hairs: The TAP device of an instance corresponds to the port that the instance uses to connect to the network. Also, there is no guarantee that all combinations of hypervisors and network drivers use TAP devices (although I don't know of any counterexample).

Bernd Bausch gravatar imageBernd Bausch ( 2017-05-29 02:20:23 -0600 )edit
add a comment
0

answered 2017-05-25 06:43:44 -0600

Bernd Bausch gravatar image

Security groups are Neutron artefacts and are applied at port level. openstack port show displays a port's security groups, and you can add security groups to a port with openstack port set. I don't know if the GUI can do either.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

subscribe to rss feed

Stats

Asked: 2017-05-24 04:09:40 -0600

Seen: 2,242 times

Last updated: Jun 05 '17

Related questions

rules not working properly on security groups

Adding rule to a security group using Horizon fails

Identical Ingress and egress security group rule where remote is the security group itself

what's the difference between "security groups" and "firewall as a services"?

Error: Unable to retrieve security groups.

No available ports for floating IPs in new project

Fixed IP address N.N.N.N is already in use on instance

Defining source port for rules in for security groups

Problems with connection to ports used by tcp-server

how to change default security group ? [closed]