Security groups can be managed in either the Neutron CLI or the Horizon dashboard. Both methods offer a fairly comprehensive experience and are discussed in the following sections.
From within the Neutron command-line client, a number of commands can be used to manage security groups, including:
security-group-createsecurity-group-deletesecurity-group-listsecurity-group-rule-createsecurity-group-rule-deletesecurity-group-rule-listsecurity-group-rule-showsecurity-group-showsecurity-group-update
To create a security group within the CLI, use the Neutron security-group-create command as follows:
Usage: security-group-create [--tenant-id TENANT_ID] [--description DESCRIPTION] NAME
To delete a security group within the CLI, use the Neutron security-group-delete command as follows:
Usage: security-group-delete SECURITY_GROUP
The keyword, SECURITY_GROUP, can be the ID or name of the security group to delete.
To obtain a listing of security groups within the CLI, use the Neutron security-group-list command as follows:
Usage: security-group-list
The output returned includes the ID, name, and description of all security groups within the tenant where the command was run. If run as an administrator, all security groups across all tenants will be listed.
To display the details of a security group, use the Neutron security-group-show command as follows:
Usage: security-group-show SECURITY_GROUP
The keyword, SECURITY_GROUP, can be the ID or name of the security group to show. The output returned includes the description, ID, name, associated tenant ID, and the individual rules within the security group.
To update the attributes of a security group, use the Neutron security-group-update command as follows:
Usage: security-group-update [--description DESCRIPTION] [--name NAME]
To create a security group rule, use the Neutron security-group-rule-create command as follows:
usage: security-group-rule-create [--tenant-id TENANT_ID][--direction {ingress,egress}] [--ethertype ETHERTYPE][--protocol PROTOCOL] [--port-range-min PORT_RANGE_MIN] [--port-range-max PORT_RANGE_MAX] [--remote-ip-prefix REMOTE_IP_PREFIX] [--remote-group-id REMOTE_GROUP] SECURITY_GROUP
The --direction flag is optional and allows you to specify the direction of traffic that should be affected. Specifying ingress means the rule applies to incoming traffic, while specifying egress means the rule applies to outgoing traffic from the instance. The default value is ingress.
The --ethertype flag is optional and allows you to specify whether the rule applies to the IPv4 or IPv6 traffic. The default value is IPv4.
The --protocol flag is optional and allows you to specify the type of traffic the rule applies to. Possible options include ICMP, TCP, UDP, or an IP protocol number.
The --port-range-min flag is optional and allows you to specify the starting port of a range of ports. If this option is specified, a protocol must also be defined.
The --port-range-max flag is optional and allows you to specify the ending port of a range of ports. If this option is specified, a protocol must also be defined.
The --remote-ip-prefix flag is optional and allows you to specify the source address or network the rule applies to. The address or network should be defined in the CIDR format.
The --remote-group-id flag is optional and allows you to specify the ID of a security group the rule should apply to rather than individual IP addresses or networks. For example, when creating a rule to allow inbound SQL traffic to database servers, you can specify the ID of a security group that application servers are a member of without having to specify their individual IP addresses.
The SECURITY_GROUP keyword is used to specify the ID of the security group that the rule should be placed in.
To delete a security group rule, use the Neutron security-group-rule-delete command as follows:
Usage: security-group-rule-delete SECURITY_GROUP_RULE_ID
To list the security group rules within a security group, use the Neutron security-group-rule-list command as follows:
Usage: security-group-rule-list
The output returned includes details of individual security group rules, such as their ID, associated security group, direction, protocol, remote IP prefix, and remote group name.
To display the details of a particular security group rule, use the Neutron security-group-rule-show command as follows:
Usage: security-group-rule-show SECURITY_GROUP_RULE_ID
The output returned includes the ID, direction, ethertype, port range, protocol, remote group IP, remote IP prefix, tenant ID, and associated security group ID of the specified security group rule.
Applying security groups to instances within the CLI is typically done at instance creation using nova boot, as follows:
nova boot --flavor <FLAVOR_ID> --image <IMAGE_ID>
--nic net-id=<NETWORK_ID> --security-group <SECURITY_GROUP_ID>
INSTANCE_NAMESecurity groups can also be applied to running instances using either the Neutron port-update command or the Nova add-secgroup command. The following example demonstrates the use of port-update to apply security groups to a port:
neutron port-update <PORT_ID> --security-group <SECURITY_GROUP_ID>
Multiple security groups can be associated with a Neutron port simultaneously. To apply multiple security groups to a port, use the --security-group flag before each security group, as follows:
neutron port-update <PORT_ID> --security-group <SECURITY_GROUP_ID1> --security-group <SECURITY_GROUP_ID2> --security-group <SECURITY_GROUP_ID3>
The following example demonstrates the use of the Nova add-secgroup command to apply a security group to all ports connected to an instance:
nova add-secgroup <INSTANCE_ID> <SECURITY_GROUP_ID>
To remove an individual security group rule, execute the Nova remove-secgroup command as shown in the following example:
nova remove-secgroup <INSTANCE_ID> <SECURITY_GROUP_ID>
To remove all security groups from a port, use the Neutron port-update command with the --no-security-groups flag, as shown in the following example:
neutron port-update <neutron_port_id> --no-security-groups