You can enforce NSX Data Center for vSphere security policies through Neutron security groups. This feature can also be used to insert third-party network services.

Provider and standard security groups can both consume NSX Data Center for vSphere security policies. Rule-based provider and standard security groups can also be used together with security policy-based security groups. However, a security group associated with a security policy cannot also contain rules.

Security policies take precedence over all security group rules. If more than one security policy is enforced on a port, the order in which the policies are enforced is determined by NSX Data Center for vSphere. You can change the order in the vSphere Client on the Security > Firewall page under Networking and Security.

Prerequisites

Create the desired security policies in NSX Data Center for vSphere. See Create a Security Policy in the NSX Administration Guide.

Procedure

  1. Log in to the Integrated OpenStack Manager as the root user. 
    ssh root@mgmt-server-ip
  2. Modify the Neutron configuration. 
    viocli update neutron
  3. In the nsxv section, add the use_nsx_policies, default_policy_id, and allow_tenant_rules_with_policy parameters and configure them.
    Option Description

    use_nsx_policies

    Enter true.

    default_policy_id

    Enter the ID of the NSX Data Center for vSphere security policy that you want to associate with the default security group for new projects. If you do not want to use a security policy by default, you can leave this parameter commented out.

    To find the ID of a security policy, log in to the vSphere Client and select Menu > Networking & Security. Click Service Composer and open the Security Policies tab. Click the Show Columns icon at the bottom left of the table. Select Object Id and click OK. The ID of each security policy is displayed in the table.

    allow_tenant_rules_with_policy

    Enter true to allow tenants to create security groups and rules or false to prevent tenants from creating security groups or rules.

    The configuration file now looks similar to the following:

    conf:
  [...]
  plugins:
    nsx:
      [...]
      nsxv:
        use_nsx_policies: true
        default_policy_id: policy-5
        allow_tenant_rules_with_policy: true
  4. If you want to use additional security groups with security policies, you can perform the following steps:
    • To associate an NSX Data Center for vSphere security policy with a new security group, specify the desired policy when creating the group: 
      toolbox
export OS_PASSWORD=admin-account-password
neutron security-group-create security-group-name --tenant-id tenant-uuid --policy=policy-id
    • To migrate an existing security group to a security policy-based group, run the following command from the Neutron server: 
      kubectl -n openstack exec -it neutron-server-pod-name -- /bin/bash
nsxadmin -r security-groups -o migrate-to-policy --property policy-id=policy-id --property security-group-id=security-group-uuid
      Note: This command removes all rules from the specified security group. Ensure that the target policy is configured such that the network connection will not be interrupted.
  5. Configure Neutron to prioritize NSX Data Center for vSphere security policies over security groups. 
    kubectl -n openstack exec -it neutron-server-pod-name -- /bin/bash
sudo -u neutron nsxadmin --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/vmware/nsx.ini -r firewall-sections -o nsx-reorder