Public bug reported:
Currently, security-group rules can be created with the remote-ip-prefix
attribute to specify origin (if ingress) or destination (if egress)
address filter, this RFE suggests the use of address-groups (group of IP
CIDR blocks, as defined for FWaaS v2) to support multiple remote
address/es in one security-group rule.
[Problem description]
An Openstack cloud may require connectivity between instances and external
services which are not provisioned by Openstack, each service may also have
multiple endpoints. in order for tenant instances to be able to access these
external hosts (and only them), it is required to define a security-group with
rules that allow traffic to these specific services, one rule per service
endpoint (Assuming endpoints addresses aren't contiguous).
This process can easily become cumbersome - for each new service endpoint it is
required to create a specific rule for each tenant.
To overcome this usability issue, it is suggested that Neutron will support an
API to group IP CIDR blocks in an object which could be later referenced when
creating a security-group-rule - the user will pass the AddressGroup object id
as the ‘remote-ip-prefix’ attribute or as other new attribute.
Whenever it's required to add a service endpoint, the new IP address will be
added to the relevant AddressGroup - as a side effect, changes will be
reflected in the underlying security-group rules.
NOTE: For the purpose of the use-case above, the default allow-egress
rules are removed ("zero trust" model) once the default sg is created.
A possible example of use in the CLI:
$ neutron address-group-create --cidrs 1.1.1.1,2.2.2.2 "External Services"
$ neutron security-group-rule-create --direction egress --remote-address-group
<AG_ID>
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1592028
Title:
[RFE] Support security-group-rule creation with address-groups
Status in neutron:
New
Bug description:
Currently, security-group rules can be created with the remote-ip-
prefix attribute to specify origin (if ingress) or destination (if
egress) address filter, this RFE suggests the use of address-groups
(group of IP CIDR blocks, as defined for FWaaS v2) to support multiple
remote address/es in one security-group rule.
[Problem description]
An Openstack cloud may require connectivity between instances and external
services which are not provisioned by Openstack, each service may also have
multiple endpoints. in order for tenant instances to be able to access these
external hosts (and only them), it is required to define a security-group with
rules that allow traffic to these specific services, one rule per service
endpoint (Assuming endpoints addresses aren't contiguous).
This process can easily become cumbersome - for each new service endpoint it
is required to create a specific rule for each tenant.
To overcome this usability issue, it is suggested that Neutron will support
an API to group IP CIDR blocks in an object which could be later referenced
when creating a security-group-rule - the user will pass the AddressGroup
object id as the ‘remote-ip-prefix’ attribute or as other new attribute.
Whenever it's required to add a service endpoint, the new IP address will be
added to the relevant AddressGroup - as a side effect, changes will be
reflected in the underlying security-group rules.
NOTE: For the purpose of the use-case above, the default allow-egress
rules are removed ("zero trust" model) once the default sg is created.
A possible example of use in the CLI:
$ neutron address-group-create --cidrs 1.1.1.1,2.2.2.2 "External Services"
$ neutron security-group-rule-create --direction egress
--remote-address-group <AG_ID>
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1592028/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
