Security groups

OpenStack security groups contain rules defining which type of traffic to allow to or from an instance. As a type of firewall, this function is located on the boundary between a trusted private network and other networks. The security groups are layer 3 and 4 traffic filters having tables of rules for how to handle traffic types and ports, which in turn determine the access properties of the instances.



Instances can be associated with one or more security groups which act as a filters for which traffic types to allow to and from the instance. By default all traffic is blocked, and when an instance has reference to more of than one security group, a rule in one the security groups to allow certain traffic overrides the default.

Security group rules can be set for inbound (ingress) and outbound (egress) traffic. Rules are stateful, so when allowing a traffic type in one direction, a corresponding rule for return traffic in the opposite direction is automatically created.

A default security group is created at the time the tenant is created, which has the following default rules:

  • Egress traffic is allowed only if the MAC-IP address pair is correct (anti-spoofing rule).

  • Any non-IP traffic is allowed in the egress direction (e.g. ARP).

  • All other ingress traffic is denied - unless the same default security group is applied on VM ports connected to the same virtual network

It is considered good practice to create a new security group for each role a server can have in the VPC, rather than editing the default security group itself. This allows a flexible mapping of instances to security groups without having to allow traffic which is of no consequence to the server. The configuration of security groups is described in the how-to guide Configure security

Beryllium implementation

In Beryllium, security groups are implemented in the Contrail vRouter which maintains a virtual routing and forwarding (VRF) table for each subnet on which a virtual machine is created. The VRF is the basis for traffic segregation in a virtual network, by separating and forwarding the flows only between interfaces on the same VRF. This implements the layer 3 equivalent of a VLAN.

A security rule or routing policy is specified as a set of rules that are evaluated sequentially until a match is found which then triggers a decision. Based on the match result based on the security group rules, vRouter filters out packets by performing one of the actions FORWARD, DROP or NAT. The FORWARD action is taken on allowed flows and DROP on blocked packets.

Boron implementation

In Boron, security groups are implemented in OVS, a multi-layer virtual switch. It uses virtual network bridges and flow rules to forward packets between hosts.

The VMs are connected directly to OVS, and security groups are implemented with OVS flow rules, thereby avoiding complexities of using iptables pipelines in the standard Linux Bridge. Flow rules do not rely on VLAN tagging of traffic, but are programmed directly on the virtual switches and directly control how traffic should be handled on the ingress and egress interfaces.