Re: [Openstack] vm isolation in same tenant network
2015-07-07 23:46 GMT+02:00 Salvatore Orlando sorla...@nicira.com: Even if VMs are in the same logical network, it should be possible to do isolation associating them with different security groups, in your case N security groups. For instance if VM1 and VM2 are associated respectively with security group SG1 and SG2, and this security group only have the default rules plus one for enabling connectivity with VM0, VM1 should not reach VM2. If this happens something is not quite right. Indeed, I found my mistake. I had left the default group - which does not only contain the default egress rules, but also Ingress / IPv4 / Any / default. Without that, I don't even need separate groups but can assign the same one to all the VMs, and that's great! Thanks again to you and Kevin Marco ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
[Openstack] vm isolation in same tenant network
Hi, I'm using Neutron+VLAN. Is it possible to isolate VMs in the same tenant network, and filter traffic according to security rules? In my understanding the allow_same_net_traffic in nova.conf only affects nova-network and not Neutron behavior. On the same note, I'd like to forbid traffic to between VMs and floating IPs, even if there is a router to allows egress traffic to the Internet... Thanks ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] vm isolation in same tenant network
If I understand correctly your use case security groups can be probably used to satisfy your goal with Neutron. Groups of isolated VMs in the same network can be assigned to different security groups. Traffic among different groups will be dropped unless unable by a specific security group rule. Still I am not sure if this is your goal - as you wrote that you want to forbid traffic between VMs and floating IPs, you might be trying to achieve something different. Salvatore On 7 July 2015 at 18:38, Marco Mariani marco.mari...@alterway.fr wrote: Hi, I'm using Neutron+VLAN. Is it possible to isolate VMs in the same tenant network, and filter traffic according to security rules? In my understanding the allow_same_net_traffic in nova.conf only affects nova-network and not Neutron behavior. On the same note, I'd like to forbid traffic to between VMs and floating IPs, even if there is a router to allows egress traffic to the Internet... Thanks ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] vm isolation in same tenant network
2015-07-07 20:52 GMT+02:00 Salvatore Orlando sorla...@nicira.com: If I understand correctly your use case security groups can be probably used to satisfy your goal with Neutron. Groups of isolated VMs in the same network can be assigned to different security groups. Traffic among different groups will be dropped unless unable by a specific security group rule. Not in my experience, if VMs are in the same tenant network they can ping and connect to each other regardless of security rules. With nova-network that depends on the setting of allow_same_net_traffic={True, False}. By the way, I'm using Juno (with Fuel 6.1) Still I am not sure if this is your goal Yes, indeed. I have VM1 to N that should be able to reach Internet and a designated master VM0, but not each other. Instances 1 through N are created with Heat templates. as you wrote that you want to forbid traffic between VMs and floating IPs, you might be trying to achieve something different. That would be easier to fix, I can set up netfilter in the exposed machines and in the OpenStack nodes. But between VMs, there are no Allow / Deny rules. And neither would FWaaS help me, since it operates at the perimeter. I suppose Role-basec Access Control ( https://github.com/openstack/neutron-specs/blob/master/specs/liberty/rbac-networks.rst) could help me, but if so, that's a solution that does not directly map to how I see my problem. Thanks for the reply! ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack