Ask Your Question
1

Are security groups applied at port or instance level?

asked 2017-05-24 04:09:40 -0500

GTIM gravatar image

I was wondering if security groups are applied at port or instance level. For example, if I have a VM with two ports connected to different networks, the security group could be either applied to a single port or to all ports.

I found that from Heat templates I could associate a security group at a port level, while using standard Horizon interface to create a VM (or standard CLI commands) or to modify the SG association, the security group is applied at VM level.

I would prefer to apply it at port level in order to have a finer control. Which is actual implementation behavior?

Thanks!

edit retag flag offensive close merge delete
add a comment

5 answers

Sort by ยป oldest newest most voted
1

answered 2017-06-05 10:31:50 -0500

Antonio G. gravatar image

If you create the VM through Horizon GUI (or from CLI with --security-group flag) SGs are applied to all VM ports. Associating SGs to ports on HOT template or using either old CLI command proposed by Rajesh or new CLI commad referenced here could provide more granular control.

edit flag offensive delete link more
add a comment
1

answered 2017-05-25 07:48:06 -0500

Rajesh Ramachandran gravatar image

Security groups are generally applied at the instance level. If there is a VM with two ports connected to different networks and security groups needs to be applied at port level, you can update the port with "neutron port-update"

neutron port-update --security-group <security group ID> <Port ID1>
neutron port-show <Port ID1> | grep -i security_groups (To check)
edit flag offensive delete link more
add a comment
0

answered 2017-05-25 06:43:44 -0500

Bernd Bausch gravatar image

Security groups are Neutron artefacts and are applied at port level. openstack port show displays a port's security groups, and you can add security groups to a port with openstack port set. I don't know if the GUI can do either.

edit flag offensive delete link more
add a comment
0

answered 2017-05-28 23:23:47 -0500

Praveen N gravatar image

The Access and Security Group rules are applied on to tap device of an instance.So it is at instance level. If suppose a VM is moved from one compute node to another, that tap device is also found migrated during the live migration of instance. This can be verified using commands like neutron port show or iptables -L in the compute node. Not pretty much sure about the mulitple networks for an instance. The below link may be of some help: https://www.rdoproject.org/networking...

edit flag offensive delete link more

Comments

To split hairs: The TAP device of an instance corresponds to the port that the instance uses to connect to the network. Also, there is no guarantee that all combinations of hypervisors and network drivers use TAP devices (although I don't know of any counterexample).

Bernd Bausch gravatar imageBernd Bausch ( 2017-05-29 02:20:23 -0500 )edit
add a comment
0

answered 2020-03-25 05:47:02 -0500

adduarte gravatar image

Old question but either way. BOTH. Security groups maybe applied to either vm instances or ports. Take a look here: https://superuser.openstack.org/articles/managing-port-level-security-openstack/ (https://superuser.openstack.org/artic...) for what they do on the port level.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

subscribe to rss feed

Stats

Asked: 2017-05-24 04:09:40 -0500

Seen: 2,598 times

Last updated: Jun 05 '17

Related questions

where do unused network ports come from

Instance ports are closed

Why its mandatory to provide security group during VM creation but its allowed to modify a VM and remove all the security group

Deleting a project leaves associated routers and instances behind

Detaching and attaching security group resolved the VM accessibility issue, HOW?

neutron security group entry only works after iptables alteration on instance

How to create two interfaces on same lan with Neutron, Heat and Kilo

Windows Network Interface changing on detach/attach

how to Change default ports of endpoints?

How to change default security group ?