Hi Sean, thanks for the reply.

On 6/11/19 11:00 AM, Sean Mooney wrote:

as an alternitive you migth be able to use the firewall as a service api to implemtn traffic filtering in the neutorn
routers rather than at the port level.

This was a good idea! I found that it actually worked to solve our use-case. I set up FWaaS and configured a firewall group with the rules I wanted. Then I added my subnets's router_interface port to the firewall. Thank you!

Re: the general issue of doing security groups in Ironic, I was wondering if this is something that others envision eventually being the job of networking-baremetal[1]. I looked and the storyboard[2] for the project doesn't show any planned work for this, but I saw it mentioned in this presentation[3] from 2017.

Cheers,
/Jason

[1]: https://docs.openstack.org/networking-baremetal/latest/
[2]: https://storyboard.openstack.org/#!/project/955
[3]: https://www.slideshare.net/nyechiel/openstack-networking-the-road-ahead