You can enforce NSX-V security policies through Neutron security groups. This feature can also be used to insert third-party network services.
Provider and standard security groups can both consume NSX-V security policies. Rule-based provider and standard security groups can also be used together with security policy-based security groups. However, a security group associated with a security policy cannot also contain rules.
Security policies take precedence over all security group rules. If more than one security policy is enforced on a port, the order in which the policies are enforced is determined by NSX-V. You can change the order in the vSphere Client on the page under Networking and Security.
Create the desired security policies in NSX-V.
- Log in to the OpenStack Management Server.
- If your deployment is not using a custom.yml file, copy the template custom.yml file to the /opt/vmware/vio/custom directory.
sudo mkdir -p /opt/vmware/vio/custom sudo cp /var/lib/vio/ansible/custom/custom.yml.sample /opt/vmware/vio/custom/custom.yml
- Open the /opt/vmware/vio/custom/custom.yml file in a text editor.
- Uncomment the nsxv_use_nsx_policies, nsxv_default_policy_id, and nsxv_allow_tenant_rules_with_policy parameters and configure them.
Enter the ID of the NSX-V security policy that you want to associate with the default security group for new projects. If you do not want to use a security policy by default, you can leave this parameter commented out.
Enter true to allow tenants to create security groups and rules or false to prevent tenants from creating security groups or rules.
- Deploy the updated configuration.
sudo viocli deployment configure
Deploying the configuration briefly interrupts OpenStack services.
- If you want to use additional security groups with security policies, you can perform the following steps:
To associate an NSX-V security policy with a new security group, create the group and run the following command:
neutron security-group-update --policy=policy-id security-group-id
To migrate an existing security group to a security policy-based group, log in to the active controller and run the following command:
sudo -u neutron nsxadmin -r security-groups -o migrate-to-policy --property policy-id=policy-id --property security-group-id=security-group-idNote:
This command removes all rules from the specified security group. Ensure that the target policy is configured such that the network connection will not be interrupted.
- Log in to the active controller and grant NSX-V security policies higher priority than security groups.
sudo -u neutron nsxadmin --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/vmware/nsxv.ini -r firewall-sections -o nsx-reorder