OpenStack Security Groups

OpenStack Security Groups provide hypervisor-based firewall functionality for web-scale applications. These security groups allow you to define “roles” for server instances, and then apply firewall rules consistently across all server instances participating in that role. For example, a “web server” role might enable inbound traffic to port 80 and 443, while an “app server” role might enable ports 8005, 8080, and 8009…but ONLY if the traffic originates from a server in the “web server” role.

Defining security groups is a simple way to provide firewall functionality without the extra cost of a hardware appliance.

Since each customer at Internap is assigned two VLANs with public and private IP address blocks respectively, security groups provide a mechanism for establishing policy-based relationships between clusters of server instances within a single application. For example, you can define rules that permit replication traffic between database servers over the VLAN with the private IP addresses, but only permit inbound database queries over another port from web servers.

Additionally, one can configre a security group to only allow certain outbound traffic to specific port on a specific IP address, such as a web server sending log data to a syslog server.

Security groups are implemented on the hypervisor; they are not host-based firewalls.

Pros
Hypervisor-based; scales with your application server instances
Defines roles for group trust relationships
Easily add or remove servers to/from a security group
Apply security groups when launching an instance
Apply a security group to a running instance

Cons
Only provides packet filtering
Does not provide additional, non-firewall features (VPN, QoS, etc) commonly supported by a traditional hardware appliance
May require re-architecting an application