Security Groups
SecurityGroups control the desired access of servers and thus form the firewall at the infrastructure level. A SecurityGroup consists of one or more SecurityGroupRules. In addition to port openings at the subnet level, it is also possible to reference other SecurityGroups.
~ : openstack security group create mysecuritygroup
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at | 2025-04-09T07:13:09Z |
| description | mysecuritygroup |
| id | 6cee68d5-43d3-4c67-8ae3-4421b3f46a6a |
| name | mysecuritygroup |
| project_id | f7f8ed8191a048248c38982cd4b3d240 |
| revision_number | 1 |
| rules | created_at='2025-04-09T07:13:09Z', direction='egress', ethertype='IPv4', id='c143e476-3cc8-470b-80f6-ce2473dadac8', updated_at='2025-04-09T07:13:09Z' |
| | created_at='2025-04-09T07:13:09Z', direction='egress', ethertype='IPv6', id='f8c00d23-9c8c-456d-ab68-3e1fdcdb59a0', updated_at='2025-04-09T07:13:09Z' |
| stateful | True |
| tags | [] |
| updated_at | 2025-04-09T07:13:09Z |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
Rules
When a SecurityGroup is created, two rules are automatically added. These only allow outbound communication; inbound traffic is blocked. The rules can be removed later if needed. Created servers automatically receive the default SecurityGroup, so the automatically created rules are usually not required. The default SecurityGroup contains exactly these rules. If you want to omit the default SecurityGroup, it is advisable to keep the rules.
~ : openstack security group rule list mysecuritygroup
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| c143e476-3cc8-470b-80f6-ce2473dadac8 | None | IPv4 | 0.0.0.0/0 | | egress | None | None |
| f8c00d23-9c8c-456d-ab68-3e1fdcdb59a0 | None | IPv6 | ::/0 | | egress | None | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
~ : openstack security group rule delete c143e476-3cc8-470b-80f6-ce2473dadac8 f8c00d23-9c8c-456d-ab68-3e1fdcdb59a0 # optional
IPv6
To make a port reachable from the outside, it is sufficient to open it in the SecurityGroup thanks to IPv6’s external routability. The following example opens SSH:
~ : openstack security group rule create mysecuritygroup \
--ingress \
--ethertype ipv6 \
--remote-ip ::/0 \
--proto tcp --dst-port 22 \
--description "Allow access to SSH externally (IPv6)"
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| created_at | 2025-04-09T07:15:11Z |
| description | Allow access to SSH externally |
| direction | ingress |
| ether_type | IPv6 |
| id | bc08d14f-11e4-420a-918c-2bf8246c35e3 |
| name | None |
| port_range_max | 22 |
| port_range_min | 22 |
| project_id | f7f8ed8191a048248c38982cd4b3d240 |
| protocol | tcp |
| remote_address_group_id | None |
| remote_group_id | None |
| remote_ip_prefix | ::/0 |
| revision_number | 0 |
| security_group_id | 6cee68d5-43d3-4c67-8ae3-4421b3f46a6a |
| tags | [] |
| updated_at | 2025-04-09T07:15:11Z |
+-------------------------+--------------------------------------+
~ : openstack security group rule list mysecuritygroup
+--------------------------------------+-------------+-----------+----------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+----------+------------+-----------+-----------------------+----------------------+
| bc08d14f-11e4-420a-918c-2bf8246c35e3 | tcp | IPv6 | ::/0 | 22:22 | ingress | None | None |
+--------------------------------------+-------------+-----------+----------+------------+-----------+-----------------------+----------------------+
IPv4
When opening ports under IPv4 they are not directly reachable from the outside. The server must first have a FloatingIP attached; otherwise it is behind NAT. Internally the port is already open and can be reached by other servers on the same router.
~ : openstack security group rule create mysecuritygroup \
--ingress \
--remote-ip 0.0.0.0/0 \
--proto tcp --dst-port 22 \
--description "Allow access to SSH externally (IPv4)"
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| created_at | 2025-04-09T07:36:46Z |
| description | Allow access to SSH externally |
| direction | ingress |
| ether_type | IPv4 |
| id | 5c9a666d-e7a8-4587-b731-ea3a22627ce7 |
| name | None |
| port_range_max | 22 |
| port_range_min | 22 |
| project_id | f7f8ed8191a048248c38982cd4b3d240 |
| protocol | tcp |
| remote_address_group_id | None |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 0 |
| security_group_id | 6cee68d5-43d3-4c67-8ae3-4421b3f46a6a |
| tags | [] |
| updated_at | 2025-04-09T07:36:46Z |
+-------------------------+--------------------------------------+
~ : openstack security group rule list mysecuritygroup
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| 5c9a666d-e7a8-4587-b731-ea3a22627ce7 | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None | None |
| bc08d14f-11e4-420a-918c-2bf8246c35e3 | tcp | IPv6 | ::/0 | 22:22 | ingress | None | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
Connecting Security Groups (Advanced)
In some cases it makes sense to create several SecurityGroups and connect them so that attaching one group opens ports from the other. Example: an app server that needs to access a database. We create db and app SecurityGroups. An internet-access SecurityGroup provides external connectivity. We do not use the default SecurityGroup because it would allow unrestricted internal traffic, which is too permissive for this example.
# Create SecurityGroups
for i in internet-access db app; do
openstack security group create "$i"
done
# Remove default rules from db and app SecurityGroups
ids=()
for sg in db app; do
for id in $(openstack security group rule list -f value -c ID "$sg"); do
ids+=("$id")
done
done
# Delete gathered SecurityGroup rules
openstack security group rule delete "${ids[@]}"
App
Application servers must be reachable from the outside via HTTP(s). All other access is denied. Only our fictional App‑Admins should be able to SSH into the machines. Access to the database servers is granted in the db SecurityGroup.
# Allow HTTP(s) externally
for port in 80 443; do
for family in ipv4 ipv6; do
openstack security group rule create app \
--ingress \
--ethertype "$family" \
--proto tcp \
--dst-port "$port" \
--description "Allow access to Port $port ($family)"
done
done
# Allow SSH Access to App instances from App Admins
openstack security group rule create app \
--ingress \
--ethertype ipv6 \
--remote-ip 2001:db8::a66:ad/128 \
--proto tcp --dst-port 22 \
--description "Allow access to SSH from App Admins (IPv6)"
openstack security group rule create app \
--ingress \
--remote-ip 2.3.4.5/32 \
--proto tcp --dst-port 22 \
--description "Allow access to SSH from App Admins (IPv4)"
~ : openstack security group rule list app
+--------------------------------------+-------------+-----------+----------------------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+----------------------+------------+-----------+-----------------------+----------------------+
| e4597426-ee56-400b-a18c-c7cf7208629a | tcp | IPv6 | 2001:db8::a66:ad/128 | 22:22 | ingress | None | None |
| edfb31e8-d14d-4a4f-9008-ed69c632f17a | tcp | IPv4 | 2.3.4.5/32 | 22:22 | ingress | None | None |
| 207de6d5-8690-4519-aae2-dbc7b2913d82 | tcp | IPv6 | ::/0 | 80:80 | ingress | None | None |
| 701d9cf8-1234-4e23-8bea-fdec97cd0fb1 | tcp | IPv4 | 0.0.0.0/0 | 80:80 | ingress | None | None |
| 505eeb8c-d6be-4640-b87a-ff5ca385cb70 | tcp | IPv6 | ::/0 | 443:443 | ingress | None | None |
| e6ca13d6-734d-4d4c-b8d0-8b723e541af3 | tcp | IPv4 | 0.0.0.0/0 | 443:443 | ingress | None | None |
+--------------------------------------+-------------+-----------+----------------------+------------+-----------+-----------------------+----------------------+
DB
In the db SecurityGroup we open the PostgreSQL port for the app servers. We also grant SSH access to database admins. Because the port should only be reachable from the app servers, we specify the app SecurityGroup with the --remote-group flag. Thus all servers that have the app SecurityGroup automatically get access to port 5432, regardless of the network they run in.
# Allow PostgreSQL from app SecurityGroup
port=5432
for proto in tcp udp; do
for family in ipv4 ipv6; do
openstack security group rule create db \
--ingress \
--remote-group app \
--ethertype "$family" \
--proto "$proto" \
--dst-port "$port" \
--description "Allow access to DB ($family)"
done
done
# Allow SSH Access to DB instances from Database Admins
openstack security group rule create db \
--ingress \
--ethertype ipv6 \
--remote-ip 2001:db8::db:ad/128 \
--proto tcp --dst-port 22 \
--description "Allow access to SSH from DBAs (IPv6)"
openstack security group rule create db \
--ingress \
--remote-ip 1.2.3.4/32 \
--proto tcp --dst-port 22 \
--description "Allow access to SSH from DBAs (IPv4)"
~ : openstack security group rule list db
+--------------------------------------+-------------+-----------+---------------------+------------+-----------+--------------------------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+---------------------+------------+-----------+--------------------------------------+----------------------+
| cd0ca73a-0c75-4f8a-a133-de577f4252a2 | tcp | IPv6 | 2001:db8::db:ad/128 | 22:22 | ingress | None | None |
| 036a64c7-cad9-4a8e-8e71-0d75ea6e7cae | tcp | IPv4 | 1.2.3.4/32 | 22:22 | ingress | None | None |
| 9670351e-1223-4202-99f0-58b290344be4 | udp | IPv6 | ::/0 | 5432:5432 | ingress | 3127a73d-463a-4736-a986-f83f2de373e5 | None |
| f175b455-6a6a-4717-9ce8-be0f50930d72 | tcp | IPv6 | ::/0 | 5432:5432 | ingress | 3127a73d-463a-4736-a986-f83f2de373e5 | None |
| 70752850-7b84-41a7-9eb2-49c5a1c6d32a | udp | IPv4 | 0.0.0.0/0 | 5432:5432 | ingress | 3127a73d-463a-4736-a986-f83f2de373e5 | None |
| 8500cdff-3649-488e-bdd9-eb2e625da360 | tcp | IPv4 | 0.0.0.0/0 | 5432:5432 | ingress | 3127a73d-463a-4736-a986-f83f2de373e5 | None |
+--------------------------------------+-------------+-----------+---------------------+------------+-----------+--------------------------------------+----------------------+
Result
``` ~ : openstack server show app01 +-------------------------------------+----------------------------------------------------------------------------+ | Field | Value | +-------------------------------------+----------------------------------------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | RegionOne | | OS-EXT-STS:power_state | Running | | OS-EXT-STS:vm_state | active | | OS-SRV-USG:launched_at | 2025-04-09T10:22:38.000000 | | OS-SRV-USG:terminated_at | None | | accessIPv4 | | | accessIPv6 | | | addresses | mynetwork=192.168.199.182, 2a02:ed80:80:101:f816:3eff:fe44:ae77 | | config_drive | | | created | 2025-04-09T10:22:27Z | | description | app01 | | flavor | description=, disk='25', ephemeral='0', , id='s1.small', is_disabled=, | | | is_public='True', location=, name='s1.small', original_name='s1.small', | | | ram='2048', rxtx_factor=, swap='0', vcpus='2' | | hostId | 36981f1ee60b435e820aa0f4e957d5146845ab43d98285fc57cb88bc | | id | 42ecd18e-16d8-4146-beb5-bbcedf543f48 | | image | Ubuntu Noble 24.04 LTS (829fff8b-e1b9-43d1-9f4a-52ccfc2edfe2) | | key_name | None | | locked | False | | locked_reason | None | | name | app01 | | progress | 0 | | project_id | f7f8ed8191a048248c38982cd4b3d240 | | properties | | | security_groups | name='app' | | | name='internet-access' | | server_groups | [] | | status | ACTIVE | | tags | | | trusted_image_certificates | None | | updated | 2025-04-09T10:22:38Z | | user_id | 9dad1ab0716b4d0bb025d045fc28e987 | | volumes_attached | | +-------------------------------------+----------------------------------------------------------------------------+