You can enforce NSX-V security policies through Neutron security groups. This feature can also be used to insert third-party network services.

Provider and standard security groups can both consume NSX-V security policies. Rule-based provider and standard security groups can also be used together with security policy-based security groups. However, a security group associated with a security policy cannot also contain rules.

Security policies take precedence over all security group rules. If more than one security policy is enforced on a port, the order in which the policies are enforced is determined by NSX-V. You can change the order in the vSphere Client on the Security > Firewall page under Networking and Security.

Prerequisites

Create the desired security policies in NSX-V.

Procedure

  1. Log in to the OpenStack Management Server.
  2. If your deployment is not using a custom.yml file, copy the template custom.yml file to the /opt/vmware/vio/custom directory.
    sudo mkdir -p /opt/vmware/vio/custom
    sudo cp /var/lib/vio/ansible/custom/custom.yml.sample /opt/vmware/vio/custom/custom.yml
  3. Open the /opt/vmware/vio/custom/custom.yml file in a text editor.
  4. Uncomment the nsxv_use_nsx_policies, nsxv_default_policy_id, and nsxv_allow_tenant_rules_with_policy parameters and configure them.

    Option

    Description

    nsxv_use_nsx_policies

    Enter true.

    nsxv_default_policy_id

    Enter the ID of the NSX-V security policy that you want to associate with the default security group for new projects. If you do not want to use a security policy by default, you can leave this parameter commented out.

    nsxv_allow_tenant_rules_with_policy

    Enter true to allow tenants to create security groups and rules or false to prevent tenants from creating security groups or rules.

  5. Deploy the updated configuration.
    sudo viocli deployment configure

    Deploying the configuration briefly interrupts OpenStack services.

  6. If you want to use additional security groups with security policies, you can perform the following steps:
    • To associate an NSX-V security policy with a new security group, create the group and run the following command:

      neutron security-group-update --policy=policy-id security-group-id
    • To migrate an existing security group to a security policy-based group, log in to the active controller and run the following command:

      sudo -u neutron nsxadmin -r security-groups -o migrate-to-policy --property policy-id=policy-id --property security-group-id=security-group-id
      Note:

      This command removes all rules from the specified security group. Ensure that the target policy is configured such that the network connection will not be interrupted.

  7. Log in to the active controller and grant NSX-V security policies higher priority than security groups.
    sudo -u neutron nsxadmin --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/vmware/nsxv.ini -r firewall-sections -o nsx-reorder