Re: [Openstack] vm isolation in same tenant network

Tue, 07 Jul 2015 15:48:11 -0700 

allow_same_net_traffic shouldn't impact Neutron. In Neutron the network
shouldn't affect traffic flow (other than broadcasts of course).

On Tue, Jul 7, 2015 at 1:09 PM, Marco Mariani <marco.mari...@alterway.fr>
wrote:

> 2015-07-07 20:52 GMT+02:00 Salvatore Orlando <sorla...@nicira.com>:
>
> If I understand correctly your use case security groups can be probably
>> used to satisfy your goal with Neutron.
>>
>> Groups of isolated VMs in the same network can be assigned to different
>> security groups. Traffic among different groups will be dropped unless
>> unable by a specific security group rule.
>>
>
> Not in my experience, if VMs are in the same tenant network they can ping
> and connect to each other regardless of security rules. With nova-network
> that depends on the setting of allow_same_net_traffic={True, False}.
>
> By the way, I'm using Juno (with Fuel 6.1)
>
> Still I am not sure if this is your goal
>>
>
> Yes, indeed. I have VM1 to N that should be able to reach Internet and a
> designated "master" VM0, but not each other. Instances 1 through N are
> created with Heat templates.
>
> as you wrote that you want to forbid traffic between VMs and floating IPs,
>> you might be trying to achieve something different.
>>
>
> That would be easier to fix, I can set up netfilter in the exposed
> machines and in the OpenStack nodes. But between VMs, there are no Allow /
> Deny rules. And neither would FWaaS help me, since it operates at the
> perimeter.
>
> I suppose Role-basec Access Control (
> https://github.com/openstack/neutron-specs/blob/master/specs/liberty/rbac-networks.rst)
> could help me, but if so, that's a solution that does not directly map to
> how I see my problem.
>
> Thanks for the reply!
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>


-- 
Kevin Benton

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Reply via email to