By default, the Avi Load Balancer Controller creates and manages a single security group (SG) for an SE. The SG manages the ingress-egress rules for the management and data-plane traffic of the SE. In certain customer environments, it might be required to provide custom SGs that are also associated with the management or data-plane vNICs of the SEs. This section shows how to use the Avi Load Balancer SE group’s custom_securitygroups_mgmt
and custom_securitygroups_data configuration flags
to achieve the extra flexibility in OpenStack, through the Avi Load Balancer UI and CLI.
OpenStack Cloud without any Security Group Configuration
[root@sivacos ~(keystone_admin)]# nova show a2354abc-0455-440b-ac0b-0b0e50bc66d2 +-----------------------+------------------------------------------------------------------------------------------------------------+ | Property | Value | +-----------------------+------------------------------------------------------------------------------------------------------------+ ... | avimgmt network | 172.24.16.4 | | description | Avi-se-pyhlh | | id | a2354abc-0455-440b-ac0b-0b0e50bc66d2 | | image | Avi-SE-17.1.4-9000-cloud-15190a62-e284-4033-8800-70c27c452bad-cluster-143b2840-19b6-409d-918d-d92edc98b2e1 | | metadata | {"AVICNTRL": "10.10.22.44", ..."AVISG_UUID": "bccf43ca-e98d-483b-9bff-43ab5e8970f3", ...} | | name | Avi-se-pyhlh | | private network | 10.0.0.10 | | security_groups | avi-se-a2354abc-0455-440b-ac0b-0b0e50bc66d2 | | status | ACTIVE | | tenant_id | a6d878c0f7db40bf91ed1226e720460a | | xfrontend network | 192.168.10.13 | +-----------------------+------------------------------------------------------------------------------------------------------------+ [root@sivacos ~(keystone_admin)]# neutron port-show 9427350d-31d9-42d2-a2e5-53bef1e52475 +-----------------------+--------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+--------------------------------------------------------------------------------------------------+ | device_id | a2354abc-0455-440b-ac0b-0b0e50bc66d2 | | device_owner | compute:None | | fixed_ips | {"subnet_id": "a178c1f1-5cce-4f0a-ac1a-8277e26b085e", "ip_address": "172.24.16.4"} | | id | 9427350d-31d9-42d2-a2e5-53bef1e52475 | | mac_address | fa:16:3e:1d:ba:21 | | name | Avi-Mgmt:cluster-143b2840-19b6-409d-918d-d92edc98b2e1:cloud-15190a62-e284-4033-8800-70c27c452bad | | network_id | 27bd1f64-5a50-4189-98db-3265809ac71a | | security_groups | bccf43ca-e98d-483b-9bff-43ab5e8970f3 | | status | ACTIVE | | tenant_id | a6d878c0f7db40bf91ed1226e720460a | ... +-----------------------+--------------------------------------------------------------------------------------------------+ [root@sivacos ~(keystone_admin)]# neutron port-show 747d4110-c4d2-443e-8ee0-373702b4f4ec +-----------------------+--------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+--------------------------------------------------------------------------------------------------+ | device_id | a2354abc-0455-440b-ac0b-0b0e50bc66d2 | | device_owner | compute:None | | fixed_ips | {"subnet_id": "4e010951-eb90-43af-9bad-e578f1ac2f77", "ip_address": "10.0.0.10"} | | id | 747d4110-c4d2-443e-8ee0-373702b4f4ec | | mac_address | fa:16:3e:fa:bd:ec | | name | Avi-Data:cluster-143b2840-19b6-409d-918d-d92edc98b2e1:cloud-15190a62-e284-4033-8800-70c27c452bad | | network_id | a6669299-dccb-40a9-a0d2-4608aaea79c0 | | security_groups | bccf43ca-e98d-483b-9bff-43ab5e8970f3 | | status | ACTIVE | | tenant_id | a6d878c0f7db40bf91ed1226e720460a | ... +-----------------------+--------------------------------------------------------------------------------------------------+ [root@sivacos ~(keystone_admin)]# neutron port-show 16414cce-7eaf-4d58-bdb5-fa8169a4a8e2 +-----------------------+--------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+--------------------------------------------------------------------------------------------------+ | device_id | a2354abc-0455-440b-ac0b-0b0e50bc66d2 | | device_owner | compute:None | | fixed_ips | {"subnet_id": "5b0d022b-33a2-42d9-873b-814ac2726e13", "ip_address": "192.168.10.13"} | | id | 16414cce-7eaf-4d58-bdb5-fa8169a4a8e2 | | mac_address | fa:16:3e:91:a3:24 | | name | Avi-Data:cluster-143b2840-19b6-409d-918d-d92edc98b2e1:cloud-15190a62-e284-4033-8800-70c27c452bad | | network_id | d36521da-8810-457e-95e5-a350143e61a4 | | security_groups | bccf43ca-e98d-483b-9bff-43ab5e8970f3 | | status | ACTIVE | | tenant_id | a6d878c0f7db40bf91ed1226e720460a | ... +-----------------------+--------------------------------------------------------------------------------------------------+
OpenStack Cloud Custom Security Group Configuration through the Controller CLI
[admin:10-10-22-44]: > configure serviceenginegroup Default-Group [admin:10-10-22-44]: serviceenginegroup> custom_securitygroups_mgmt 30fe49a4-ee31-43a9-9235-e23d59e392b3 [admin:10-10-22-44]: serviceenginegroup> custom_securitygroups_data 2aba00a7-8b20-45d4-88f3-64b901b9e363 [admin:10-10-22-44]: serviceenginegroup> custom_securitygroups_data adcf99de-46d0-44e2-8f3b-037804f725f0 [admin:10-10-22-44]: serviceenginegroup> save +---------------------------------------+---------------------------------------------------------+ | Field | Value | +---------------------------------------+---------------------------------------------------------+ ... | custom_securitygroups_mgmt[1] | 30fe49a4-ee31-43a9-9235-e23d59e392b3 | | custom_securitygroups_data[1] | 2aba00a7-8b20-45d4-88f3-64b901b9e363 | | custom_securitygroups_data[2] | adcf99de-46d0-44e2-8f3b-037804f725f0
OpenStack Cloud Custom Security Group Configuration through the Controller UI
Navigate to
and invoke the SE group editor. Select the appropriate named custom security groups for the management vNIC and the data vNIC.Resulting Custom Security Group Configuration as viewed from the OpenStack UI
Resulting Custom Security Group Configuration as viewed from the OpenStack CLI
[root@sivacos ~(keystone_admin)]# nova show 6f6abba9-c4e5-4c26-a3aa-f87b02d62419 +-----------------------+------------------------------------------------------------------------------------------------------------+ | Property | Value | +-----------------------+------------------------------------------------------------------------------------------------------------+ ... | avimgmt network | 172.24.16.9 | | description | Avi-se-yynxn | | id | 6f6abba9-c4e5-4c26-a3aa-f87b02d62419 | | image | Avi-SE-17.1.4-9000-cloud-15190a62-e284-4033-8800-70c27c452bad-cluster-143b2840-19b6-409d-918d-d92edc98b2e1 | | metadata | {"AVICNTRL": "10.10.22.44", "AVISG_UUID": "3d13ee89-5069-4dd2-a505-b6d7032bea9e", ..} | | name | Avi-se-yynxn | | private network | 10.0.0.6 | | security_groups | ExtraDataSG, ExtraMgmtSG, ExtraMiscSG, avi-se-6f6abba9-c4e5-4c26-a3aa-f87b02d62419 | | status | ACTIVE | | tenant_id | a6d878c0f7db40bf91ed1226e720460a | | xfrontend network | 192.168.10.6 | +-----------------------+------------------------------------------------------------------------------------------------------------+ [root@sivacos ~(keystone_admin)]# neutron port-show 51783401-f174-4240-93df-028564aeb54b +-----------------------+--------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+--------------------------------------------------------------------------------------------------+ | device_id | 6f6abba9-c4e5-4c26-a3aa-f87b02d62419 | | device_owner | compute:None | | fixed_ips | {"subnet_id": "5b0d022b-33a2-42d9-873b-814ac2726e13", "ip_address": "192.168.10.6"} | | id | 51783401-f174-4240-93df-028564aeb54b | | mac_address | fa:16:3e:50:7a:73 | | name | Avi-Data:cluster-143b2840-19b6-409d-918d-d92edc98b2e1:cloud-15190a62-e284-4033-8800-70c27c452bad | | network_id | d36521da-8810-457e-95e5-a350143e61a4 | | security_groups | 2aba00a7-8b20-45d4-88f3-64b901b9e363 | | | 3d13ee89-5069-4dd2-a505-b6d7032bea9e | | | adcf99de-46d0-44e2-8f3b-037804f725f0 | | status | ACTIVE | | tenant_id | a6d878c0f7db40bf91ed1226e720460a | ... +-----------------------+--------------------------------------------------------------------------------------------------+ [root@sivacos ~(keystone_admin)]# neutron port-show 69bb1115-7e1d-474d-97b7-178d25a2dbe6 +-----------------------+--------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+--------------------------------------------------------------------------------------------------+ | device_id | 6f6abba9-c4e5-4c26-a3aa-f87b02d62419 | | device_owner | compute:None | | fixed_ips | {"subnet_id": "4e010951-eb90-43af-9bad-e578f1ac2f77", "ip_address": "10.0.0.6"} | | id | 69bb1115-7e1d-474d-97b7-178d25a2dbe6 | | mac_address | fa:16:3e:91:92:38 | | name | Avi-Data:cluster-143b2840-19b6-409d-918d-d92edc98b2e1:cloud-15190a62-e284-4033-8800-70c27c452bad | | network_id | a6669299-dccb-40a9-a0d2-4608aaea79c0 | | security_groups | 2aba00a7-8b20-45d4-88f3-64b901b9e363 | | | 3d13ee89-5069-4dd2-a505-b6d7032bea9e | | | adcf99de-46d0-44e2-8f3b-037804f725f0 | | status | ACTIVE | | tenant_id | a6d878c0f7db40bf91ed1226e720460a | ... +-----------------------+--------------------------------------------------------------------------------------------------+ [root@sivacos ~(keystone_admin)]# neutron port-show ca8c572e-f430-4176-87e0-780c81e82b91 +-----------------------+--------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+--------------------------------------------------------------------------------------------------+ | device_id | 6f6abba9-c4e5-4c26-a3aa-f87b02d62419 | | device_owner | compute:None | | fixed_ips | {"subnet_id": "a178c1f1-5cce-4f0a-ac1a-8277e26b085e", "ip_address": "172.24.16.9"} | | id | ca8c572e-f430-4176-87e0-780c81e82b91 | | mac_address | fa:16:3e:c2:42:d1 | | name | Avi-Mgmt:cluster-143b2840-19b6-409d-918d-d92edc98b2e1:cloud-15190a62-e284-4033-8800-70c27c452bad | | network_id | 27bd1f64-5a50-4189-98db-3265809ac71a | | security_groups | 30fe49a4-ee31-43a9-9235-e23d59e392b3 | | | 3d13ee89-5069-4dd2-a505-b6d7032bea9e | | status | ACTIVE | | tenant_id | a6d878c0f7db40bf91ed1226e720460a | ... +-----------------------+--------------------------------------------------------------------------------------------------+
Custom Security Group Configuration through the Avi Load Balancer CLI
[admin:10-10-22-44]: > configure serviceenginegroup Default-Group [admin:10-10-22-44]: serviceenginegroup> custom_securitygroups_mgmt sg-5c902726 [admin:10-10-22-44]: serviceenginegroup> custom_securitygroups_data sg-4b9d2a31 [admin:10-10-22-44]: serviceenginegroup> custom_securitygroups_data sg-b99c2bc3 [admin:10-10-22-44]: serviceenginegroup> save +---------------------------------------+---------------------------------------------------------+ | Field | Value | +---------------------------------------+---------------------------------------------------------+ ... | custom_securitygroups_mgmt[1] | sg-5c902726 | | custom_securitygroups_data[1] | sg-4b9d2a31 | | custom_securitygroups_data[2] | sg-b99c2bc3
Open Virtual Network
With OVN plug-in in OpenStack, DHCP requests are filtered (not allowed) by default. The security group rule must open up UDP port 67 in egress direction for the virtual machine to get IP address from DHCP server.
By default, the Avi Load Balancer SEs have allow-all egress rules programmed and no change is required. If you want to use custom security groups, you need to open UDP port 67 on the security group for SE management and data vNIC.