← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #90012

[Bug 1592028] Re: [RFE] Support security-group-rule creation with address-groups

  Thread PreviousDate PreviousThread Next 
** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1592028

Title:
  [RFE] Support security-group-rule creation with address-groups

Status in neutron:
  Fix Released

Bug description:
  Currently, security-group rules can be created with the remote-ip-
  prefix attribute to specify origin (if ingress) or destination (if
  egress) address filter, this RFE suggests the use of address-groups
  (group of IP CIDR blocks, as defined for FWaaS v2) to support multiple
  remote address/es in one security-group rule.

  [Problem description]
  An Openstack cloud may require connectivity between instances and external services which are not provisioned by Openstack, each service may also have multiple endpoints. in order for tenant instances to be able to access these external hosts (and only them), it is required to define a security-group with rules that allow traffic to these specific services, one rule per service endpoint (Assuming endpoints addresses aren't contiguous).
  This process can easily become cumbersome - for each new service endpoint it is required to create a specific rule for each tenant.

  To overcome this usability issue, it is suggested that Neutron will support an API to group IP CIDR blocks in an object which could be later referenced when creating a security-group-rule - the user will pass the AddressGroup object id as the ‘remote-ip-prefix’ attribute or as other new attribute.
  Whenever it's required to add a service endpoint, the new IP address will be added to the relevant AddressGroup - as a side effect, changes will be reflected in the underlying security-group rules.

  NOTE: For the purpose of the use-case above, the default allow-egress
  rules are removed ("zero trust" model) once the default sg is created.

  
  A possible example of use in the CLI:

  $ neutron address-group-create --cidrs 1.1.1.1,2.2.2.2 "External Services"
  $ neutron security-group-rule-create --direction egress --remote-address-group <AG_ID>

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1592028/+subscriptions

References

  Thread PreviousDate PreviousThread Next