Chapter 19. Configuring security groups
Security groups are sets of IP filter rules that control network and protocol access to and from instances, such as ICMP to allow you to ping an instance, and SSH to allow you to connect to an instance. The security group rules are applied to all instances within a project.
All projects have a default security group called default
, which is used when you do not specify a security group for your instances. By default, the default security group allows all outgoing traffic and denies all incoming traffic from any source other than instances in the same security group. You can either add rules to the default security group or create a new security group for your project. You can apply one or more security groups to an instance during instance creation. To apply a security group to a running instance, apply the security group to a port attached to the instance.
When you create a security group, you can choose stateful or stateless in ML2/OVN deployments.
Stateless security groups are not supported in ML2/OVS deployments.
Security groups are stateful by default and in most cases stateful security groups provide better control with less administrative overhead.
A stateless security group can provide significant performance benefits, because it bypasses connection tracking in the underlying firewall. But stateless security groups require more security group rules than stateful security groups. Stateless security groups also offer less granularity in some cases.
- Stateless security group advantages
- Stateless security groups can be faster than stateful security groups
- Stateless security groups are the only viable security group option in applications that offload OpenFlow actions to hardware.
- Stateless security group disadvantages
- Stateless security group rules do not automatically allow returning traffic. For example, if you create a rule to allow outgoing TCP traffic from a port that is in a stateless security group, you must also create a rule that allows incoming replies. Stateful security groups automatically allow the incoming replies.
- Control over those incoming replies may not be as granular as the control provided by stateful security groups.
In general, use the default stateful security group type unless your application is highly sensitive to performance or uses hardware offloading of OpenFlow actions.
You cannot apply a role-based access control (RBAC)-shared security group directly to an instance during instance creation. To apply an RBAC-shared security group to an instance you must first create the port, apply the shared security group to that port, and then assign that port to the instance. See Adding a security group to a port.
19.1. Creating a security group
You can create a new security group to apply to instances and ports within a project.
Procedure
Optional: To ensure the security group you need does not already exist, review the available security groups and their rules:
$ openstack security group list $ openstack security group rule list <sec_group>
-
Replace
<sec_group>
with the name or ID of the security group that you retrieved from the list of available security groups.
-
Replace
. Create your security group:
$ openstack security group create [--stateless] mySecGroup
Optional: Include the
--stateless
option to create a stateless security group. Security groups are stateful by default.NoteOnly ML2/OVN deployments support stateless security groups.
Add rules to your security group:
$ openstack security group rule create --protocol <protocol> \ [--dst-port <port-range>] \ [--remote-ip <ip-address> | --remote-group <group>] \ [--ingress | --egress] mySecGroup
-
Replace
<protocol>
with the name of the protocol you want to allow to communicate with your instances. -
Optional: Replace
<port-range>
with the destination port or port range to open for the protocol. Required for IP protocols TCP, UDP, and SCTP. Set to-1
to allow all ports for the specified protocol. Separate port range values with a colon. -
Optional: You can allow access only from specified IP addresses by using
--remote-ip
to specify the remote IP address block, or--remote-group
to specify that the rule only applies to packets from interfaces that are a member of the remote group. If using--remote-ip
, replace<ip-address>
with the remote IP address block. You can use CIDR notation. If using--remote-group
, replace<group>
with the name or ID of the existing security group. If neither option is specified, then access is allowed to all addresses, as the remote IP access range defaults (IPv4 default:0.0.0.0/0
; IPv6 default:::/0
). Specify the direction of network traffic the protocol rule applies to, either incoming (
ingress
) or outgoing (egress
). If not specified, defaults toingress
.NoteIf you created a stateless security group, and you created a rule to allow outgoing TCP traffic from a port that is in the stateless security group, you must also create a rule that allows incoming replies.
-
Replace
Repeat step 3 until you have created rules for all the protocols that you want to allow to access your instances. The following example creates a rule to allow SSH connections to instances in the security group
mySecGroup
:$ openstack security group rule create --protocol tcp \ --dst-port 22 mySecGroup
19.2. Updating security group rules
You can update the rules of any security group that you have access to.
Procedure
Retrieve the name or ID of the security group that you want to update the rules for:
$ openstack security group list
- Determine the rules that you need to apply to the security group.
Add rules to your security group:
$ openstack security group rule create --protocol <protocol> \ [--dst-port <port-range>] \ [--remote-ip <ip-address> | --remote-group <group>] \ [--ingress | --egress] <group_name>
-
Replace
<protocol>
with the name of the protocol you want to allow to communicate with your instances. -
Optional: Replace
<port-range>
with the destination port or port range to open for the protocol. Required for IP protocols TCP, UDP, and SCTP. Set to-1
to allow all ports for the specified protocol.Separate port range values with a colon. -
Optional: You can allow access only from specified IP addresses by using
--remote-ip
to specify the remote IP address block, or--remote-group
to specify that the rule only applies to packets from interfaces that are a member of the remote group. If using--remote-ip
, replace<ip-address>
with the remote IP address block. You can use CIDR notation. If using--remote-group
, replace<group>
with the name or ID of the existing security group. If neither option is specified, then access is allowed to all addresses, as the remote IP access range defaults (IPv4 default:0.0.0.0/0
; IPv6 default:::/0
). -
Specify the direction of network traffic the protocol rule applies to, either incoming (
ingress
) or outgoing (egress
). If not specified, defaults toingress
. -
Replace
<group_name>
with the name or ID of the security group that you want to apply the rule to.
-
Replace
Repeat step 3 until you have created rules for all the protocols that you want to allow to access your instances. The following example creates a rule to allow SSH connections to instances in the security group
mySecGroup
:$ openstack security group rule create --protocol tcp \ --dst-port 22 mySecGroup
19.3. Deleting security group rules
You can delete rules from a security group.
Procedure
Identify the security group that the rules are applied to:
$ openstack security group list
Retrieve IDs of the rules associated with the security group:
$ openstack security group show <sec-group>
Delete the rule or rules:
$ openstack security group rule delete <rule> [<rule> ...]
Replace
<rule>
with the ID of the rule to delete. You can delete more than one rule at a time by specifying a space-delimited list of the IDs of the rules to delete.
19.4. Deleting a security group
You can delete security groups that are not associated with any ports.
Procedure
Retrieve the name or ID of the security group that you want to delete:
$ openstack security group list
Retrieve a list of the available ports:
$ openstack port list
Check each port for an associated security group:
$ openstack port show <port-uuid> -c security_group_ids
If the security group you want to delete is associated with any of the ports, then you must first remove the security group from the port. For more information, see Removing a security group from a port.
Delete the security group:
$ openstack security group delete <group> [<group> ...]
Replace
<group>
with the ID of the group that you want to delete. You can delete more than one group at a time by specifying a space-delimited list of the IDs of the groups to delete.