Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Are security groups applied at port or instance level?

I was wondering if security groups are applied at port or instance level. For example, if I have a VM with two ports connected to different networks, the security group could be either applied to a single port or to all ports.

I found that from Heat templates I could associate a security group at a port level, while using standard Horizon interface to create a VM (or standard CLI commands) or to modify the SG association, the security group is applied at VM level.

I would prefer to apply it at port level in order to have a finer control. Which is actual implementation behavior?