You can enforce NSX Data Center for vSphere security policies through Neutron security groups. This feature can also be used to insert third-party network services.
Provider and standard security groups can both consume NSX Data Center for vSphere security policies. Rule-based provider and standard security groups can also be used together with security policy-based security groups. However, a security group associated with a security policy cannot also contain rules.
Security policies take precedence over all security group rules. If more than one security policy is enforced on a port, the order in which the policies are enforced is determined by NSX Data Center for vSphere. You can change the order in the vSphere Client on the page under Networking and Security.
Create the desired security policies in NSX Data Center for vSphere. See Create a Security Policy in the NSX Administration Guide.
- Log in to the OpenStack Management Server as
- If your deployment is not using a custom.yml file, copy the template custom.yml file to the /opt/vmware/vio/custom directory.
sudo mkdir -p /opt/vmware/vio/custom sudo cp /var/lib/vio/ansible/custom/custom.yml.sample /opt/vmware/vio/custom/custom.yml
- Open the /opt/vmware/vio/custom/custom.yml file in a text editor.
- Uncomment the nsxv_use_nsx_policies, nsxv_default_policy_id, and nsxv_allow_tenant_rules_with_policy parameters and configure them.
Enter the ID of the NSX Data Center for vSphere security policy that you want to associate with the default security group for new projects. If you do not want to use a security policy by default, you can leave this parameter commented out.
To find the ID of a security policy, select Service Composer. Open the Security Policies tab and click the Show Columns icon at the bottom left of the table. Select Object Id and click OK. The ID of each security policy is displayed in the table.and click
Enter true to allow tenants to create security groups and rules or false to prevent tenants from creating security groups or rules.
- Deploy the updated configuration.
sudo viocli deployment configure
Deploying the configuration briefly interrupts OpenStack services.
- Log in to the controller node as
- Switch to the
rootuser and load the cloud administrator credentials file.
sudo su - source ~/cloudadmin.rc
- If you want to use additional security groups with security policies, you can perform the following steps:
To associate an NSX Data Center for vSphere security policy with a new security group, create the group and update it with the desired policy:
neutron security-group-create security-group-name --tenant-id tenant-uuid neutron security-group-update --policy=policy-id security-group-uuid
To migrate an existing security group to a security policy-based group, run the following command:
sudo -u neutron nsxadmin -r security-groups -o migrate-to-policy --property policy-id=policy-id --property security-group-id=security-group-uuidNote:
This command removes all rules from the specified security group. Ensure that the target policy is configured such that the network connection will not be interrupted.
- Configure Neutron to prioritize NSX Data Center for vSphere security policies over security groups.
sudo -u neutron nsxadmin --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/vmware/nsxv.ini -r firewall-sections -o nsx-reorder