Security groups and security group rules allows administrators and tenants the ability to specify the type of traffic and direction (ingress/egress) that is allowed to pass through a port. A security group is a container for security group rules.
When a port is created in Networking it is associated with a security group. If a security group is not specified the port is associated with a 'default' security group. By default, this group drops all ingress traffic and allows all egress. Rules can be added to this group in order to change the behaviour.
To use the Compute security group APIs or use Compute to orchestrate the creation of
ports for instances on specific security groups, you must complete additional
configuration. You must configure the /etc/nova/nova.conf
file and
set the security_group_api=neutron
option on every node that runs
nova-compute
and nova-api
. After you make this change, restart
nova-api
and nova-compute
to pick up this change. Then, you can use both the
Compute and OpenStack Network security group APIs at the same time.
Note | |
---|---|
|