[Yahoo-eng-team] [Bug 1592028] Re: [RFE] Support security-group-rule creation with address-groups

Thu, 20 Oct 2022 02:01:24 -0700 

** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1592028

Title:
  [RFE] Support security-group-rule creation with address-groups

Status in neutron:
  Fix Released

Bug description:
  Currently, security-group rules can be created with the remote-ip-
  prefix attribute to specify origin (if ingress) or destination (if
  egress) address filter, this RFE suggests the use of address-groups
  (group of IP CIDR blocks, as defined for FWaaS v2) to support multiple
  remote address/es in one security-group rule.

  [Problem description]
  An Openstack cloud may require connectivity between instances and external 
services which are not provisioned by Openstack, each service may also have 
multiple endpoints. in order for tenant instances to be able to access these 
external hosts (and only them), it is required to define a security-group with 
rules that allow traffic to these specific services, one rule per service 
endpoint (Assuming endpoints addresses aren't contiguous).
  This process can easily become cumbersome - for each new service endpoint it 
is required to create a specific rule for each tenant.

  To overcome this usability issue, it is suggested that Neutron will support 
an API to group IP CIDR blocks in an object which could be later referenced 
when creating a security-group-rule - the user will pass the AddressGroup 
object id as the ‘remote-ip-prefix’ attribute or as other new attribute.
  Whenever it's required to add a service endpoint, the new IP address will be 
added to the relevant AddressGroup - as a side effect, changes will be 
reflected in the underlying security-group rules.

  NOTE: For the purpose of the use-case above, the default allow-egress
  rules are removed ("zero trust" model) once the default sg is created.

  
  A possible example of use in the CLI:

  $ neutron address-group-create --cidrs 1.1.1.1,2.2.2.2 "External Services"
  $ neutron security-group-rule-create --direction egress 
--remote-address-group <AG_ID>

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1592028/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to