Managing security groups using using the OpenStack terminal client¶
Creating a security group¶
To create a security group using the OpenStack terminal client, follow these steps:
Run this command:
openstack security group create --description [DESCRIPTION] [NAME]
Note
The new security group will not have any rules so wont actually do anything. To add rules, follow next step.
Adding rules to a security group¶
To add rules to a security group using the OpenStack terminal client, follow these steps:
Running the following command will give you a detailed overview of what options are available for creating a rule:
openstack security group rule create -h
Define the rule. More info in our Designing security group rules article. By using the help output from above, you are able to match your rule to the needed parameters.
An example command to create a security rule that allows SSH using the terminal. Replace the items in angle brackets with corresponding data.
openstack security group rule create \
--protocol tcp \
--dst-port 22 \
--ingress \
--remote-ip [X.X.X.X/Y] \
--description [DESCRIPTION] \
[NAME]
Note
For ease of use, we recommend using the already defined rules. These are project specific so you can also tweak them as you see fit.
Adding a security group to an instance¶
To add a security group to an instance using the OpenStack terminal client, follow these steps:
Run this command:
openstack server add security group [INSTANCE NAME] [GROUP NAME]
, replace the items within angle brackets with corresponding data.To show what security groups are currently attached to an instance, run this command:
openstack server show --column security_groups [INSTANCE NAME]
, replace the items within angle brackets with corresponding data.
Address groups¶
There is a feature to setup address groups in OpenStack. Address groups enable you to setup a collection of IPs and IP-ranges that you can then use to apply to your groups. The benefit of this, is that you could re-use them in many rules and would not have to maintain several lists of (the same) addresses. Address groups are only available via the terminal client, below is how to work with them:
To create a group, run this command:
openstack address group create [NAME]
To add addresses to the group, run
openstack address group set --address [x.x.x.x/y] [NAME]
. Address could be both a range or a single address.To use the address group in a rule, use the
--remote-address-group [NAME]
option.
Note
If you instead choose to press “Edit Port Security Groups” (in step 2 above) you are able to set security groups on a per interface (port) basis instead. This might be useful if you have several networks connected to your instance (which we don’t recommend) and want to have different settings on them.
Note
Remember: you need to add your groups to all instances, all rules are evaluated in a per instance fashion.
See also