Mohammad, My responses are inline: >Let's start from the question about Deny. There are no Deny actions. By >default there is no connectivity. If you want to establish that you do it >with Allow or other actions; otherwise no connectivity. Hence no need to >have Deny.
This makes sense. >The policies generally apply to the whole group. The idea is to simplify >the use of contract and policy rules by applying them to a group of like >minded :) endpoints. >So you may reconsider how you group your endpoints into groups so you can >apply policies to groups of endpoints with similar characteristics/roles. This makes sense. Group-level policies should be applied to the entire group. So, am I correct in saying that policies can _only_ be applied to entire groups, and not individual VM’s within a group? This makes the assumption that each VM _does not_ have a unique group akin to users on most Linux systems. For example, you have a VM named VM1. VM1 is a member of one group, web servers. There is no unique group named: VM1 The last post seemed to indicate that you can apply policies to specific VM’s within a group. Lastly, what is the relationship between group policies and FWaaS? Thank You, Mike Grima, RHCE _______________________________________________ OpenStack-dev mailing list OpenStackemail@example.com http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev