OpenStack Networking provides two different APIs that can be used to implement network traffic filters. The first API, known as the Security Group API, provides basic traffic filtering at an instance port level. Security group rules are implemented within iptables or as Open vSwitch flow rules on a compute node and filter traffic entering or leaving Neutron ports attached to instances. The second API, known as the Firewall as a Service API (FWaaS), also implements filtering rules at the port level, but extends filtering capabilities to router ports and other ports besides those belonging to traditional instances.
In this chapter, we will focus on security groups and cover some fundamental security features of Neutron, including the following:
- A brief introduction to iptables
- Creating and managing security groups
- Demonstrating traffic flow through iptables
- Configuring port security
- Managing allowed address pairs