Neutron includes two methods of providing network-level security to instances. The first method is using security groups that leverage iptables rules to filter traffic on the compute node hosting the instance. The second method is a feature known as Firewall-as-a-Service (FWaaS) that provides filtering at the perimeter of the network on a Neutron router. First introduced in the Havana release of OpenStack as a technical preview, FWaaS serves as a complement to Neutron security groups, not a replacement.

In this chapter, we will discuss some fundamental security features of Neutron, such as: