Implement egress traffic filtering from OpenStack to Interanet
In a mix of OpenStack and Intranet environment, If we provide public IaaS service, we need to provide egress filtering for the instances because of security consideration, because traffic from instances launched by users are not trusted, and can reach anywhere inside the intranet environment. We need implement a new kind of security group that is only viable to cloud admin, we just call it system sec group. By default system sec group blocks all traffic flow from instance to intranet , but there is no extra firewall for instances within different zones & regions besides the security group of instance. It is a acl list that describe which instance or tenant has right to whats ip or subnet in intranet.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Hui Cheng
- Direction:
- Needs approval
- Assignee:
- Sina Web Service Dev
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Vish Ishaya
Related branches
Related bugs
Sprints
Whiteboard
there is something called provider firewall rules that filters outgoing traffic from the vms. Please let me know if that is sufficient, or you need more functionality. --Vish