Network Address Translation (Implemented by Neutron L3 agent rather than Nova)
Security groups are the primary mechanism that tenants can use to control network traffic from and to virtual machines or network interfaces. A security group is defined by a set of rules. A rule consists of specific conditions (mainly pertaining to the type, source and destination of traffic) and the action (e.g. drop, reject, or accept) to be taken if the conditions are satisfied.
For example, a rule could be specified to allow all outgoing traffic, support anti-spoofing of MAC addresses, etc (A rule may even reference a security group as a traffic source. Overall, traffic is allowed only if there is a rule permits it. Security groups are tenant-specific. Virtual machines (or network interfaces) are assigned security groups when they are created.
Security groups may be provided by Nova-network or Neutron via configuration. Either way, the underlying implementation is based on Linux iptables. By default, security groups are provided by Nova-network. But Neutron is the recommended provider because of its advanced features and flexibility to use external plug-ins and we should use Neutron for this.
In Neutron (as contrast to nova), security groups are applied to virtual network interfaces (via Neutron ports). (In Nova, security groups are applied to virtual machines. As a result, all network interfaces on a virtual machine will have the same security groups.) A Neutron port may be associated with one or more security groups upon creation. If it is not explicitly assigned a security group, the tenant's default security group applies. By default, the default security group allows all egress traffic (subject to anti-spoofing of MAC/IP addresses and DHCP messages), but limits ingress traffic to only that from a security group member and an essential service (e.g. ICMPv6 for route advertisement). The default security group (like other security groups) is customizable on a per-tenant basis.
Neutron security groups prevent traffic to pass through an intermediate virtual machine. To support virtual network functions such as routers and firewalls, the port construct has been extended with the attribute port_security_
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- vaibhav
- Direction:
- Needs approval
- Assignee:
- vaibhav
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Armando Migliaccio