[openstack-dev] [Neutron] Security Group API differences between Neutron and Amazon AWS

Sean M. Collins sean at coreitpro.com
Tue Jun 30 12:00:49 UTC 2015

Good morning,

In last week's meeting I had an action item[0] to take a look at the Amazon
EC2/VPC API and determine what differences there are between Neutron's
and theirs.

In some spec reviews, I have been commenting about trying to keep the
Neutron security group API from "drifting" too far from the Amazon EC2
API, since the concept of the "security group" came from Amazon and I
believe that we should not be bolting on more functionality to an Amazon
concept. Rather, I would like to see Neutron create new APIs to further
differentiate OpenStack from Amazon AWS, since that gives us elbow room
to innovate without having to worry about compatibility, and possibly
gives us cover on the legal front since there are a lot of court cases
flying around about patents on APIs[1].

In many instances, I believe that much of the new functionality that
people are seeking to create should be put into the
Firewall-As-A-Service API, but that's a discussion for another e-mail.

Anyway, over a cup of coffee today I went and did some reading about the
differences between the Neutron security group API and Amazon's. Here
are my preliminary findings.

Amazon's Security Group API comes in two types:

* EC2-Classic


Security groups in the VPC API are documented at:


There is a useful section on the differences between the EC2-Classic and

A more in depth documentation for the AWS Security Group API is located

Data Types:

API methods:


I used the following for the Security Group API on the Neutron side:


Overall, the attributes are *named differently* but contain similar
concepts. Both Security Group APIs contain:

* IP Prefix/CIDR

* From port

* To port 

* Protocol

One difference is that the AWS API distinguishes between
Ingress and Egress at the API endpoint, rather than being an attribute.



Another difference is that the Neutron Security Group API does have an
interesting attribute named remote_group_id that doesn't have any real
documentation, but I am making a guess that it possibly matches up to
the UserIdGroupPair type in AWS. Perhaps someone could shed some
light on that, and then document it (not sure where yet).

The AWS API and Neutron also share an attribute that can list an IP
prefix to match - remote_prefix_id in Neutron, and PrefixListIds in EC2.
However it appears that the PrefixListIds type can contain multiple

Neutron has an ethertype for selecting IPv4 or IPv6, while Amazon does
not, since Amazon does not have IPv6 in EC2 (they do have IPv6 in the
elastic loadbalancer product[2]).

This is at least my preliminary findings. Do feel free to double check
my work and see if there is anything that I have overlooked or made a
mistake on.

[0]: http://eavesdrop.openstack.org/meetings/networking/2015/networking.2015-06-22-21.00.html
[1]: https://en.wikipedia.org/wiki/Oracle_America,_Inc._v._Google,_Inc.
[2]: https://aws.amazon.com/about-aws/whats-new/2011/05/24/elb-ipv6-zoneapex-securitygroups/

Sean M. Collins

More information about the OpenStack-dev mailing list