You can create a provider security group to block specific traffic for a project.
Standard security groups are created and managed by tenants, whereas provider security groups are created and managed by the cloud administrator. Provider security groups take precedence over standard security groups and are enforced on all virtual machines in a project.
For instructions about standard security groups, see Working with Security Groups.
Procedure
- Log in to the OpenStack Management Server.
- Create a provider security group for a specific project.
neutron security-group-create group-name --provider=True --tenant-id=project-id
- Create rules for the provider security group.
Note: Provider security group rules block the specified traffic, whereas standard security rules allow the specified traffic.
neutron security-group-rule-create group-name --tenant-id=project-id [--description rule-description] [--direction {ingress | egress}] [--ethertype {IPv4 | IPv6}] [--protocol protocol] [--port-range-min range-start --port-range-max range-end] [--remote-ip-prefix ip/prefix | --remote-group-id remote-security-group]
Option |
Description |
group-name |
Enter the provider security group created in Step 2. |
--tenant-id |
Enter the ID of the desired project. |
--description |
Enter a custom description of the rule. |
--direction |
Specify ingress to block incoming traffic or egress to block outgoing traffic. If you do not include this parameter, ingress is used by default. |
--ethertype |
Specify IPv4 or IPv6. If you do not include this parameter, IPv4 is used by default. |
--protocol |
Specify the protocol to block. Enter an integer representation ranging from 0 to 255 or one of the following values:
To block all protocols, do not include this parameter. |
--port-range-min |
Enter the first port to block. To block all ports, do not include this parameter. To block a single port, enter the same value for the --port-range-min and --port-range-max parameters. |
--port-range-max |
Enter the last port to block. To block all ports, do not include this parameter. To block a single port, enter the same value for the --port-range-min and --port-range-max parameters. |
--remote-ip-prefix |
Enter the source network of traffic to block (for example, 10.10.0.0/24). This parameter cannot be used together with the --remote-group-id parameter. |
--remote-group-id |
Enter the name or ID of the source security group of traffic to block. This parameter cannot be used together with the --remote-ip-prefix parameter. |
Results
The provider security group rules are enforced on all newly created ports on virtual machines in the specified project and cannot be overridden by tenant-defined security groups.
What to do next
You can enforce one or more provider security groups on existing ports by running the following command:
neutron port-update port-id --provider-security-groups list=true group-id1...