Configure security groups

The Networking Service provides security group functionality using a mechanism that is more flexible and powerful than the security group capabilities built into Compute. Therefore, if you use Networking, you should always disable built-in security groups and proxy all security group calls to the Networking API . If you do not, security policies will conflict by being simultaneously applied by both services.

To proxy security groups to Networking, use the following configuration values in nova.conf:

Table 7.8. nova.conf security group settings
Item	Configuration
`firewall_driver`	Update to `nova.virt.firewall.NoopFirewallDriver`, so that `nova-compute` does not perform iptables-based filtering itself.
`security_group_api`	Update to `neutron`, so that all security group requests are proxied to the Network Service.

Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

Legal notices