I agree that diverse security approaches will create a burden on Octavia to add security groups to the amphorae.
So in the example shown, the loadbalancer security groups needed to be:
(default, lb-5cfd45c7-e12b-4dd7-8be3-f2c31ac110a5, lb-mgmt-sec-grp), instead of only
(lb-5cfd45c7-e12b-4dd7-8be3-f2c31ac110a5, lb-mgmt-sec-grp), for traffic to pass from the amphorae to the server.
This shouldn't be required, to my understanding, as the lb-5cf** group already allows HTTP traffic (listener port), and the amphorae have traffic interfaces on the same tenant subnet of the server.
But in some situations, traffic does not pass from the amphorae to the servers, and I added the default security group manually (bad thing I know) to the loadbalancer to work.
I agree that diverse security approaches will create a burden on Octavia to add security groups to the amphorae.
So in the example shown, the loadbalancer security groups needed to be: e12b-4dd7- 8be3-f2c31ac110 a5, lb-mgmt-sec-grp), instead of only e12b-4dd7- 8be3-f2c31ac110 a5, lb-mgmt-sec-grp), for traffic to pass from the amphorae to the server.
(default, lb-5cfd45c7-
(lb-5cfd45c7-
This shouldn't be required, to my understanding, as the lb-5cf** group already allows HTTP traffic (listener port), and the amphorae have traffic interfaces on the same tenant subnet of the server.
But in some situations, traffic does not pass from the amphorae to the servers, and I added the default security group manually (bad thing I know) to the loadbalancer to work.