My responses are inline:
>Let's start from the question about Deny. There are no Deny actions. By
>default there is no connectivity. If you want to establish that you do it
>with Allow or other actions; otherwise no connectivity. Hence no need to
>have Deny.

This makes sense. 

>The policies generally apply to the whole group. The idea is to simplify
>the use of contract and policy rules by applying them to a group of like
>minded :) endpoints.
>So you may reconsider how you group your endpoints into groups so you can
>apply policies to groups of endpoints with similar characteristics/roles.

This makes sense.  Group-level policies should be applied to the entire
group.  So, am I correct in saying that policies can _only_ be applied to
entire groups, and not individual VM’s within a group? This makes the
assumption that each VM _does not_ have a unique group akin to
users on most Linux systems.  For example, you have a VM named
VM1.  VM1 is a member of one group, web servers. There is no unique
group named: VM1

The last post seemed to indicate that you can apply policies to specific
VM’s within a group.  

Lastly, what is the relationship between group policies and FWaaS?

Thank You,

Mike Grima, RHCE
OpenStack-dev mailing list

Reply via email to