Are security groups applied at port or instance level?
I was wondering if security groups are applied at port or instance level. For example, if I have a VM with two ports connected to different networks, the security group could be either applied to a single port or to all ports.
I found that from Heat templates I could associate a security group at a port level, while using standard Horizon interface to create a VM (or standard CLI commands) or to modify the SG association, the security group is applied at VM level.
I would prefer to apply it at port level in order to have a finer control. Which is actual implementation behavior?
Thanks!