Hi Salvatore:
On Mon, Nov 25, 2013 at 2:02 PM, Salvatore Orlando <[email protected]>wrote: > Hi Lorin, > I think yours is a very good question; I am afraid I am not able to > provide a straight answer regarding in which cases one service should be > preferred to the other. > > Technically the difference would be that a firewall rule is enforced only > at the edge of your network, and is therefore not enforced for intra-tenant > and inter-tenant traffic, whereas a security group rule is enforced on > every port where the security group applies. > > As an example, one could use a security group to allow traffic on ports 80 > and 443 on all instances regardless of the source security group, and a > firewall rule to block access to port 80 from external sources. The result > would be that HTTP would be open for 'internal' traffic whereas only HTTPS > would be available for externally-generated traffic. > Can you confirm that the FWaaS rules won't apply to inter-tenant traffic? In a public cloud situation I would think an end-user would expect tenant isolation: traffic from other tenants to be treated the same way as external traffic. Lorin -- Lorin Hochstein Lead Architect - Cloud Services Nimbis Services, Inc. www.nimbisservices.com
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
