This article provides answers to common questions about Cloud Networks security groups.
What are security groups?
Security groups are named collections of network access rules that enable Rackspace Public Cloud users to specify the types of traffic that are allowed to pass through PublicNet and ServiceNet ports on a Cloud Servers instance. A security group is a container for security group rules. After you launch an instance, you can assign one or more security groups to ports on that instance. Security groups act as a stateful firewall for your Cloud Server instances.
Where is the documentation?
Developer guide: http://docs.rackspace.com/networks/api/v2/cn-devguide/content/conceptSecurityGroups.html
Getting started guide: http://docs.rackspace.com/networks/api/v2/cn-gettingstarted/content/security_groups.html
What are the benefits of using security groups?
Prior to the release of this feature, users had to manage traffic to and from their instances individually via iptables rules (as an example) on every instance, or perhaps use third-party tools such as CloudPassage. Managing firewall policies involves significant overhead. Security groups make it possible to use a self-service API to define a common set of rules and apply them to the servers without needing to manage iptables rules on each server. Security groups simplify security policy administration for customers across their deployments.
What is being launched?
We are launching security groups as limited availability in all data centers, so customers can request the security groups feature and receive provisioned endpoints in their service catalog. Security groups are supported for Managed Infrastructure (non RackConnect) customers at launch.
What features are supported at launch?
With the limited availability launch in early 2015, we support only inbound security groups on both PublicNet and ServiceNet interfaces. This means that customers can filter incoming traffic to their PublicNet and ServiceNet ports. We will add outbound security group support later in 2015.
Are security groups on Cloud Networks supported?
Not at this time. We will add support later in 2015.
Will security groups be supported via the neutron client?
Yes. Users can provision security groups via the neutron client.
Is this functionality integrated with and available from the Cloud Control Panel?
Not yet. The product will be available soon. In the interim, you can use either the neutron client or the API.
Are security groups supported for OnMetal users?
No. We currently support security groups only for virtual cloud servers.
Is a default security group applied to my instances?
No default security groups are applied. Users must create a security group themselves and apply it to ports on an instance.
Can I apply security groups to ports on an instance at boot time?
No. Security groups can be applied only after the instance is active.
What happens when a security group rule is added to the security group?
Traffic that matches the new security group rule is allowed to go through.
Can traffic be blocked or denied based on a security group rule?
No. Traffic that matches a rule is permitted, and any traffic that is not part of the ruleset for that security group is denied or blocked. Because of OpenStack API design requirements, you cannot specify that traffic matching a rule should be denied. The security groups API is a whitelist. Thus, traffic that doesn't match any of the rules in the whitelist is automatically blacklisted.
Is there any traffic that is permitted or allowed by default by security groups?
DNS responses from Rackspace Provider DNS servers (UDP source port 53) are allowed by default even if a security group does not explicitly allow them. Also the TCP flags ACK and RST are permitted by default.
What kinds of traffic can be matched by the security group rules?
The following types of traffic can be matched (for both IPv4 and IPv6 addresses):
- TCP traffic
- UDP traffic
- ICMP traffic
- Traffic from a Source IP address
- Traffic from a CIDR
Can I have a security group with no rules?
Yes. Such a security group will deny or block all traffic.
Are security groups applied to instances?
No. Security groups are applied to a Neutron port on a network that is attached to an instance and not to an instance itself.
What are the limits for security groups and rules?
You can apply up to 5 security groups per port.
You can have up to 20 security group rules per security group
You can have up to 100 security group rules (aggregate) per user during the limited availability release.