Security groups are fundamental to limiting access to Neutron ports and instances and allow users to create ingress and egress rules that allow traffic from specific addresses, ports, protocols, and even other security groups. It is important to keep in mind that security group rules can only be constructed to allow traffic as all traffic is denied by default in both directions—ingress and egress.

Using the reference plugin, Neutron converts security group rules to iptables rules that are applied on individual compute nodes and filter traffic as it passes through the virtual switches. No modifications are made to the instances themselves and firewalls within the instances can provide additional filtering if required.

In the next chapter, ...