Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DOC: Openstack Security Groups #135

Merged
merged 2 commits into from
Mar 8, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
99 changes: 99 additions & 0 deletions docs/openstack-security-groups.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
# Openstack Security Groups

To read more about Openstack Security Groups using the [upstream docs](https://docs.openstack.org/nova/queens/admin/security-groups.html).

#### List and view current security groups

``` shell
$ openstack security group list
```

#### Create Security Groups

``` shell
$ openstack security group create SECURITY_GROUP_NAME --description GROUP_DESCRIPTION
```

#### Delete a specific Security Group

``` shell
$ openstack security group delete SECURITY_GROUP_NAME
```

#### Create and manage security group rules

To list the rules for a security group, run the following command:

``` shell
$ openstack security group rule list SECURITY_GROUP_NAME
```

Add a new group rule:

``` shell
$ openstack security group rule create SEC_GROUP_NAME \
--protocol PROTOCOL --dst-port FROM_PORT:TO_PORT --remote-ip CIDR
```

The arguments are positional, and the from-port and to-port arguments specify the local port range connections are allowed to access, not the source and destination ports of the connection.

#### To allow both HTTP and HTTPS traffic:

``` shell
openstack security group rule create global_http \
--protocol tcp --dst-port 443:443 --remote-ip 0.0.0.0/0
```

#### To allow SSH access to the instances, choose one of the following options:

1. Allow access from all IP addresses, specified as IP subnet 0.0.0.0/0 in CIDR notation:

``` shell
$ openstack security group rule create SECURITY_GROUP_NAME \
--protocol tcp --dst-port 22:22 --remote-ip 0.0.0.0/0
```
2. Allow access only from IP addresses from other security groups (source groups) to access the specified port:

``` shell
$ openstack security group rule create SECURITY_GROUP_NAME \
--protocol tcp --dst-port 22:22 --remote-group SOURCE_GROUP_NAME
```
#### To allow pinging of the instances, choose one of the following options:

1. Allow pinging from all IP addresses, specified as IP subnet 0.0.0.0/0 in CIDR notation

``` shell
$ openstack security group rule create --protocol icmp \
SECURITY_GROUP_NAME
```
This allows access to all codes and all types of ICMP traffic.

2. Allow only members of other security groups (source groups) to ping instances.
``` shell
$ openstack security group rule create --protocol icmp \
--remote-group SOURCE_GROUP_NAME SECURITY_GROUP
```
#### To allow access through a UDP port, such as allowing access to a DNS server that runs on a VM, choose one of the following options:

1. Allow UDP access from IP addresses, specified as IP subnet 0.0.0.0/0 in CIDR notation.
``` shell
openstack security group rule create --protocol udp \
--dst-port 53:53 SECURITY_GROUP
```
2. Allow only IP addresses from other security groups (source groups) to access the specified port.

``` shell
openstack security group rule create --protocol udp \
--dst-port 53:53 --remote-group SOURCE_GROUP_NAME SECURITY_GROUP
```
#### Allow RDP access only from IP addresses from other security groups

``` shell
$ openstack security group rule create SECURITY_GROUP_NAME \
--protocol tcp --dst-port 33:89 --remote-group SOURCE_GROUP_NAME
```
#### Delete a security group rule

``` shell
$ openstack security group rule delete RULE_ID
```
2 changes: 2 additions & 0 deletions mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -194,3 +194,5 @@ nav:
- Building Local Images: build-local-images.md
- Third Party Tools:
- OSIE: extra-osie.md
- Cloud Onboarding:
- Openstack Security Groups: openstack-security-groups.md
Loading