In the following example, an instance named WEB1 has been created that acts as a web server running Apache on ports 80 and 443. Making a request to the web server at 192.168.206.6:80 eventually times out:

To demonstrate how security group rules are implemented on a compute node, take note of the following WEB_SERVERS security group:

The following screenshot demonstrates two security group rules being added to the WEB_SERVERS security group using the openstack security group rule create command. The rules allow inbound connections on ports 80 and 443 from any remote host, as defined by the CIDR 0.0.0.0/0:

Using the openstack server add security group command, the WEB_SERVERS security group can be applied to the WEB1 instance, as shown in the following screenshot:

Once a security group has been applied to the corresponding port of an instance, a series of iptables rules and chains are implemented on the compute node hosting the instance. A quick connectivity check shows that the rule(s) work as expected: