Configure security groups

The OpenStack Networking Service provides security group functionality using a mechanism that is more flexible and powerful than the security group capabilities built into OpenStack Compute. Therefore, if you use OpenStack Networking, you should always disable built-in security groups and proxy all security group calls to the OpenStack Networking API . If you do not, security policies will conflict by being simultaneously applied by both services.

To proxy security groups to OpenStack Networking, use the following configuration values in nova.conf:

Table 4.44. nova.conf security group settings
Item	Configuration
`firewall_driver`	Update to `nova.virt.firewall.NoopFirewallDriver`, so that `nova-compute` does not perform iptables-based filtering itself.
`security_group_api`	Update to `neutron`, so that all security group requests are proxied to the OpenStack Network Service.

Log a bug against this page

Legal notices