You can create a provider security group to block specific traffic for a project.

Standard security groups are created and managed by tenants, whereas provider security groups are created and managed by the cloud administrator. Provider security groups take precedence over standard security groups and are enforced on all virtual machines in a project.

For instructions about standard security groups, see Working with Security Groups.

Procedure

  1. Log in to the OpenStack Management Server.
  2. Create a provider security group for a specific project.
    neutron security-group-create group-name --provider=True --tenant-id=project-id
  3. Create rules for the provider security group.
    Note:

    Provider security group rules block the specified traffic, whereas standard security rules allow the specified traffic.

    neutron security-group-rule-create group-name --tenant-id=project-id [--description rule-description] [--direction {ingress | egress}] [--ethertype {IPv4 | IPv6}] [--protocol protocol] [--port-range-min range-start --port-range-max range-end] [--remote-ip-prefix ip/prefix | --remote-group-id remote-security-group]

    Option

    Description

    group-name

    Enter the provider security group created in Step 2.

    --tenant-id

    Enter the ID of the desired project.

    --description

    Enter a custom description of the rule.

    --direction

    Specify ingress to block incoming traffic or egress to block outgoing traffic.

    If you do not include this parameter, ingress is used by default.

    --ethertype

    Specify IPv4 or IPv6.

    If you do not include this parameter, IPv4 is used by default.

    --protocol

    Specify the protocol to block. Enter an integer representation ranging from 0 to 255 or one of the following values:

    • icmp

    • icmpv6

    • tcp

    • udp

    To block all protocols, do not include this parameter.

    --port-range-min

    Enter the first port to block.

    To block all ports, do not include this parameter. To block a single port, enter the same value for the --port-range-min and --port-range-max parameters.

    --port-range-max

    Enter the last port to block.

    To block all ports, do not include this parameter. To block a single port, enter the same value for the --port-range-min and --port-range-max parameters.

    --remote-ip-prefix

    Enter the source network of traffic to block (for example, 10.10.0.0/24).

    This parameter cannot be used together with the --remote-group-id parameter.

    --remote-group-id

    Enter the name or ID of the source security group of traffic to block.

    This parameter cannot be used together with the --remote-ip-prefix parameter.

Results

The provider security group rules are enforced on all newly created ports on virtual machines in the specified project and cannot be overridden by tenant-defined security groups.

What to do next

You can enforce one or more provider security groups on existing ports by running the following command:

neutron port-update port-id --provider-security-groups list=true group-id1...