2015-07-07 20:52 GMT+02:00 Salvatore Orlando <sorla...@nicira.com>:
If I understand correctly your use case security groups can be probably
> used to satisfy your goal with Neutron.
>
> Groups of isolated VMs in the same network can be assigned to different
> security groups. Traffic among different groups will be dropped unless
> unable by a specific security group rule.
>
Not in my experience, if VMs are in the same tenant network they can ping
and connect to each other regardless of security rules. With nova-network
that depends on the setting of allow_same_net_traffic={True, False}.
By the way, I'm using Juno (with Fuel 6.1)
Still I am not sure if this is your goal
>
Yes, indeed. I have VM1 to N that should be able to reach Internet and a
designated "master" VM0, but not each other. Instances 1 through N are
created with Heat templates.
as you wrote that you want to forbid traffic between VMs and floating IPs,
> you might be trying to achieve something different.
>
That would be easier to fix, I can set up netfilter in the exposed machines
and in the OpenStack nodes. But between VMs, there are no Allow / Deny
rules. And neither would FWaaS help me, since it operates at the perimeter.
I suppose Role-basec Access Control (
https://github.com/openstack/neutron-specs/blob/master/specs/liberty/rbac-networks.rst)
could help me, but if so, that's a solution that does not directly map to
how I see my problem.
Thanks for the reply!
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
