This feature enables the consumption of VMware NSX for vSphere policy from the OpenStack Cloud Management Platform through OpenStack security groups. NSX administrator can define security policies that the OpenStack cloud administrator shares with cloud users. Cloud user can also define their own security groups with rules if the cloud administrator enables regular security groups. This feature can also be used by cloud administrators to insert third-party network services.

Starting with VMware Integrated OpenStack 3.1, Neutron security groups enable administrators to use two new functionalities.

Provider security groups

Also known as administrator rules, when configured those security groups are mandatory and apply to all VMs of a given tenant. A provider security group can either be associated with a policy or exist without a policy.

NSX Service Composer - Security Policy security groups

For more information, see the Service Composer chapter in the VMware NSX for vSphere Administration Guide.

Each VMware NSX for vSphere policy can be defined by the OpenStack Cloud Administrator as a default policy by setting the nsxv_default_policy_id option in the custom.yml file. All new tenants have this policy as their default. More policies can be defined and assigned as mandatory or optional for a given tenant by being associated with either the provider or optional security groups respectively. Tenant users can also create security groups with rules but they cannot override security groups set by the cloud administrator.

After VMware NSX for vSphere policies are enabled, different scenarios can be configured by cloud administrators.

  1. Cloud administrator can forbid the creation of regular security groups with different options.

    • If only a default security group exists, this default security group is associated with the default policy. Tenant VMs are enforced with the rules defined in the default policy.

    • If the cloud administrator creates a security group with a different policy, tenant VMs can be associated with this security group instead of the default security group and only the rules defined in the current policy are effective.

    • If provider security groups exist, in addition to the policy rules, tenant VMs are also be enforced with the rules defined in the provider security groups.

  2. Cloud administrator can allow the creation of regular security groups with different options.

    • VMs launched with user-defined regular security groups are only enforced with the rules defined in these security groups.

    • If a provider security group exists, in addition to the rules in the regular security group, tenant VMs are also enforced with the rules defined in the provider security groups. In this case, provider security group rules take precedence over regular security group rules. Similarly, if you use policy-based security groups with regular security groups, policy-based rules take precedence.

    • You can have security groups either with a policy or rules, but not with both.

Manage NSX Service Composer - Security Policy Security Groups Through CLI Commands

Cloud administrators can also change the association of security group policy by using CLI commands through the Integrated OpenStack Manager.


Command Example

Change the associated policy for a security group.

neutron security-group-update --policy=<NSX_Policy_ID> <SECURITY_GROUP_ID>

Migrate existing security groups to policy-based security groups by using the nsxadmin utility.


This action deletes existing rules defined by the user. Make sure that you have the appropriate rules in the policy to avoid network disruption.

nsxadmin -r security-groups -o migrate-to-policy --property policy-id=<NSX_Policy_ID> --property security-group-id=<SECURITY_GROUP_ID>

Enforce provider security groups on existing VM ports

neutron port-update <PORT_ID> --provider-security-groups list=true <SECURITY_GROUP_ID1> <SECURITY_GROUP_ID2>

Ensure that a new policy, created on the NSX side is placed before all the OpenStack security groups section by using the nsxadmin utility.


When more than one policy-based security groups are enforced on a VM/port, the order in which the policy rules are enforced is controlled by the NSX admin through the firewall section.

sudo -u neutron nsxadmin --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/vmware/nsxv.ini -r firewall-sections -o nsx-reorder