[Openstack] the definistion of X-aaS in neutron

Lorin Hochstein lorin at nimbisservices.com
Wed Nov 27 01:56:37 UTC 2013


Hi Salvatore:


On Mon, Nov 25, 2013 at 2:02 PM, Salvatore Orlando <sorlando at nicira.com>wrote:

> Hi Lorin,
> I think yours is a very good question; I am afraid I am not able to
> provide a straight answer regarding in which cases one service should be
> preferred to the other.
>
> Technically the difference would be that a firewall rule is enforced only
> at the edge of your network, and is therefore not enforced for intra-tenant
> and inter-tenant traffic, whereas a security group rule is enforced on
> every port where the security group applies.
>
>
As an example, one could use a security group to allow traffic on ports 80
> and 443 on all instances regardless of the source security group, and a
> firewall rule to block access to port 80 from external sources. The result
> would be that HTTP would be open for 'internal' traffic whereas only HTTPS
> would be available for externally-generated traffic.
>

Can you confirm that the FWaaS rules won't apply to inter-tenant traffic?
In a public cloud situation I would  think an end-user would expect tenant
isolation: traffic from other tenants to be treated the same way as
external traffic.

Lorin

-- 
Lorin Hochstein
Lead Architect - Cloud Services
Nimbis Services, Inc.
www.nimbisservices.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131126/019dffde/attachment.html>


More information about the Openstack mailing list