Re: [Openstack] vm isolation in same tenant network
If I understand correctly your use case security groups can be probably used to satisfy your goal with Neutron. Groups of isolated VMs in the same network can be assigned to different security groups. Traffic among different groups will be dropped unless unable by a specific security group rule. Still I am not sure if this is your goal - as you wrote that you want to forbid traffic between VMs and floating IPs, you might be trying to achieve something different. Salvatore On 7 July 2015 at 18:38, Marco Mariani wrote: > Hi, > > I'm using Neutron+VLAN. Is it possible to isolate VMs in the same tenant > network, and filter traffic according to security rules? > > In my understanding the allow_same_net_traffic in nova.conf only affects > nova-network and not Neutron behavior. > > On the same note, I'd like to forbid traffic to between VMs and floating > IPs, even if there is a router to allows egress traffic to the Internet... > > Thanks > > > ___ > Mailing list: > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] vm isolation in same tenant network
2015-07-07 20:52 GMT+02:00 Salvatore Orlando :
If I understand correctly your use case security groups can be probably
> used to satisfy your goal with Neutron.
>
> Groups of isolated VMs in the same network can be assigned to different
> security groups. Traffic among different groups will be dropped unless
> unable by a specific security group rule.
>
Not in my experience, if VMs are in the same tenant network they can ping
and connect to each other regardless of security rules. With nova-network
that depends on the setting of allow_same_net_traffic={True, False}.
By the way, I'm using Juno (with Fuel 6.1)
Still I am not sure if this is your goal
>
Yes, indeed. I have VM1 to N that should be able to reach Internet and a
designated "master" VM0, but not each other. Instances 1 through N are
created with Heat templates.
as you wrote that you want to forbid traffic between VMs and floating IPs,
> you might be trying to achieve something different.
>
That would be easier to fix, I can set up netfilter in the exposed machines
and in the OpenStack nodes. But between VMs, there are no Allow / Deny
rules. And neither would FWaaS help me, since it operates at the perimeter.
I suppose Role-basec Access Control (
https://github.com/openstack/neutron-specs/blob/master/specs/liberty/rbac-networks.rst)
could help me, but if so, that's a solution that does not directly map to
how I see my problem.
Thanks for the reply!
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] vm isolation in same tenant network
Hello Marco,
more comments inline.
Salvatore
On 7 July 2015 at 22:09, Marco Mariani wrote:
> 2015-07-07 20:52 GMT+02:00 Salvatore Orlando :
>
> If I understand correctly your use case security groups can be probably
>> used to satisfy your goal with Neutron.
>>
>> Groups of isolated VMs in the same network can be assigned to different
>> security groups. Traffic among different groups will be dropped unless
>> unable by a specific security group rule.
>>
>
> Not in my experience, if VMs are in the same tenant network they can ping
> and connect to each other regardless of security rules. With nova-network
> that depends on the setting of allow_same_net_traffic={True, False}.
>
> By the way, I'm using Juno (with Fuel 6.1)
>
Even if VMs are in the same logical network, it should be possible to do
isolation associating them with different security groups, in your case N
security groups.
For instance if VM1 and VM2 are associated respectively with security group
SG1 and SG2, and this security group only have the default rules plus one
for enabling connectivity with VM0, VM1 should not reach VM2. If this
happens something is not quite right.
>
> Still I am not sure if this is your goal
>>
>
> Yes, indeed. I have VM1 to N that should be able to reach Internet and a
> designated "master" VM0, but not each other. Instances 1 through N are
> created with Heat templates.
>
Now I probably understand. It is a scenario similar to PVLAN.
>
> as you wrote that you want to forbid traffic between VMs and floating IPs,
>> you might be trying to achieve something different.
>>
>
> That would be easier to fix, I can set up netfilter in the exposed
> machines and in the OpenStack nodes. But between VMs, there are no Allow /
> Deny rules. And neither would FWaaS help me, since it operates at the
> perimeter.
>
Correct, FWaaS enforces rules at the edge and won't help you.
>
> I suppose Role-basec Access Control (
> https://github.com/openstack/neutron-specs/blob/master/specs/liberty/rbac-networks.rst)
> could help me, but if so, that's a solution that does not directly map to
> how I see my problem.
>
RBAC won't helo you I think. It provides a way to declare which tenants can
use a given network, but it is a management layer abstraction - it has no
goal of policing the traffic on the logical network where it is applied.
>
> Thanks for the reply!
>
>
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] vm isolation in same tenant network
allow_same_net_traffic shouldn't impact Neutron. In Neutron the network
shouldn't affect traffic flow (other than broadcasts of course).
On Tue, Jul 7, 2015 at 1:09 PM, Marco Mariani
wrote:
> 2015-07-07 20:52 GMT+02:00 Salvatore Orlando :
>
> If I understand correctly your use case security groups can be probably
>> used to satisfy your goal with Neutron.
>>
>> Groups of isolated VMs in the same network can be assigned to different
>> security groups. Traffic among different groups will be dropped unless
>> unable by a specific security group rule.
>>
>
> Not in my experience, if VMs are in the same tenant network they can ping
> and connect to each other regardless of security rules. With nova-network
> that depends on the setting of allow_same_net_traffic={True, False}.
>
> By the way, I'm using Juno (with Fuel 6.1)
>
> Still I am not sure if this is your goal
>>
>
> Yes, indeed. I have VM1 to N that should be able to reach Internet and a
> designated "master" VM0, but not each other. Instances 1 through N are
> created with Heat templates.
>
> as you wrote that you want to forbid traffic between VMs and floating IPs,
>> you might be trying to achieve something different.
>>
>
> That would be easier to fix, I can set up netfilter in the exposed
> machines and in the OpenStack nodes. But between VMs, there are no Allow /
> Deny rules. And neither would FWaaS help me, since it operates at the
> perimeter.
>
> I suppose Role-basec Access Control (
> https://github.com/openstack/neutron-specs/blob/master/specs/liberty/rbac-networks.rst)
> could help me, but if so, that's a solution that does not directly map to
> how I see my problem.
>
> Thanks for the reply!
>
>
> ___
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
--
Kevin Benton
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] vm isolation in same tenant network
2015-07-07 23:46 GMT+02:00 Salvatore Orlando : Even if VMs are in the same logical network, it should be possible to do > isolation associating them with different security groups, in your case N > security groups. > For instance if VM1 and VM2 are associated respectively with security > group SG1 and SG2, and this security group only have the default rules plus > one for enabling connectivity with VM0, VM1 should not reach VM2. If this > happens something is not quite right. > Indeed, I found my mistake. I had left the "default" group - which does not only contain the default egress rules, but also "Ingress / IPv4 / Any / default". Without that, I don't even need separate groups but can assign the same one to all the VMs, and that's great! Thanks again to you and Kevin Marco ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
