[RFE] Support security-group-rule creation with address-groups
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Wishlist
|
Miguel Lavalle |
Bug Description
Currently, security-group rules can be created with the remote-ip-prefix attribute to specify origin (if ingress) or destination (if egress) address filter, this RFE suggests the use of address-groups (group of IP CIDR blocks, as defined for FWaaS v2) to support multiple remote address/es in one security-group rule.
[Problem description]
An Openstack cloud may require connectivity between instances and external services which are not provisioned by Openstack, each service may also have multiple endpoints. in order for tenant instances to be able to access these external hosts (and only them), it is required to define a security-group with rules that allow traffic to these specific services, one rule per service endpoint (Assuming endpoints addresses aren't contiguous).
This process can easily become cumbersome - for each new service endpoint it is required to create a specific rule for each tenant.
To overcome this usability issue, it is suggested that Neutron will support an API to group IP CIDR blocks in an object which could be later referenced when creating a security-group-rule - the user will pass the AddressGroup object id as the ‘remote-ip-prefix’ attribute or as other new attribute.
Whenever it's required to add a service endpoint, the new IP address will be added to the relevant AddressGroup - as a side effect, changes will be reflected in the underlying security-group rules.
NOTE: For the purpose of the use-case above, the default allow-egress rules are removed ("zero trust" model) once the default sg is created.
A possible example of use in the CLI:
$ neutron address-
$ neutron security-
Changed in neutron: | |
importance: | Undecided → Wishlist |
tags: | added: rfe sg-fw |
Changed in neutron: | |
status: | New → Confirmed |
Changed in neutron: | |
assignee: | nobody → Roey Chen (roeyc) |
tags: |
added: rfe-triaged removed: rfe-postponed |
Changed in neutron: | |
assignee: | Roey Chen (roeyc) → Miguel Lavalle (minsel) |
Changed in neutron: | |
milestone: | victoria-2 → none |
Changed in neutron: | |
status: | Triaged → In Progress |
Changed in neutron: | |
status: | In Progress → Fix Released |
Let's bring this for discussion.