[Openstack] vm isolation in same tenant network
Kevin Benton
blak111 at gmail.com
Tue Jul 7 22:41:51 UTC 2015
allow_same_net_traffic shouldn't impact Neutron. In Neutron the network
shouldn't affect traffic flow (other than broadcasts of course).
On Tue, Jul 7, 2015 at 1:09 PM, Marco Mariani <marco.mariani at alterway.fr>
wrote:
> 2015-07-07 20:52 GMT+02:00 Salvatore Orlando <sorlando at nicira.com>:
>
> If I understand correctly your use case security groups can be probably
>> used to satisfy your goal with Neutron.
>>
>> Groups of isolated VMs in the same network can be assigned to different
>> security groups. Traffic among different groups will be dropped unless
>> unable by a specific security group rule.
>>
>
> Not in my experience, if VMs are in the same tenant network they can ping
> and connect to each other regardless of security rules. With nova-network
> that depends on the setting of allow_same_net_traffic={True, False}.
>
> By the way, I'm using Juno (with Fuel 6.1)
>
> Still I am not sure if this is your goal
>>
>
> Yes, indeed. I have VM1 to N that should be able to reach Internet and a
> designated "master" VM0, but not each other. Instances 1 through N are
> created with Heat templates.
>
> as you wrote that you want to forbid traffic between VMs and floating IPs,
>> you might be trying to achieve something different.
>>
>
> That would be easier to fix, I can set up netfilter in the exposed
> machines and in the OpenStack nodes. But between VMs, there are no Allow /
> Deny rules. And neither would FWaaS help me, since it operates at the
> perimeter.
>
> I suppose Role-basec Access Control (
> https://github.com/openstack/neutron-specs/blob/master/specs/liberty/rbac-networks.rst)
> could help me, but if so, that's a solution that does not directly map to
> how I see my problem.
>
> Thanks for the reply!
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
--
Kevin Benton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150707/91efc650/attachment.html>
More information about the Openstack
mailing list