Jeremy Stanley wrote: > On 2016-03-03 07:49:03 +1300 (+1300), Xav Paice wrote: > [...] > > In my mind, the default security group is there so that as people > > are developing their security policy they can at least start with > > a default that offers a small amount of protection. > > Well, not a small amount of protection. The instances boot > completely unreachable from the global Internet, so this is pretty > significant protection if you consider the most secure system is one > which isn't connected to anything.
This is only if you are booting on a v4 network, which has NAT enabled. Many public providers, the network you attach to is publicly routed, and with the move to IPv6 - this will become more common. Remember, NAT is not a security device. -- Sean M. Collins __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
