Open Stack

2015-07-07 20:52 GMT+02:00 Salvatore Orlando <sorlando at nicira.com>:

If I understand correctly your use case security groups can be probably
> used to satisfy your goal with Neutron.
>
> Groups of isolated VMs in the same network can be assigned to different
> security groups. Traffic among different groups will be dropped unless
> unable by a specific security group rule.
>

Not in my experience, if VMs are in the same tenant network they can ping
and connect to each other regardless of security rules. With nova-network
that depends on the setting of allow_same_net_traffic={True, False}.

By the way, I'm using Juno (with Fuel 6.1)

Still I am not sure if this is your goal
>

Yes, indeed. I have VM1 to N that should be able to reach Internet and a
designated "master" VM0, but not each other. Instances 1 through N are
created with Heat templates.

as you wrote that you want to forbid traffic between VMs and floating IPs,
> you might be trying to achieve something different.
>

That would be easier to fix, I can set up netfilter in the exposed machines
and in the OpenStack nodes. But between VMs, there are no Allow / Deny
rules. And neither would FWaaS help me, since it operates at the perimeter.

I suppose Role-basec Access Control (
https://github.com/openstack/neutron-specs/blob/master/specs/liberty/rbac-networks.rst)
could help me, but if so, that's a solution that does not directly map to
how I see my problem.

Thanks for the reply!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150707/ee211f72/attachment.html>