OS::Neutron::SecurityGroup

A resource for managing Neutron security groups.

Security groups are sets of IP filter rules that are applied to an instances networking. They are project specific, and project members can edit the default rules for their group and add new rules sets. All projects have a "default" security group, which is applied to instances that have no other security group defined.

Optional Properties

Name

Description

description

Description of the security group.

String value expected.

Can be updated without replacement.

name

A string specifying a symbolic name for the security group, which is not required to be unique.

String value expected.

Can be updated without replacement.

rules

List of security group rules.

List value expected.

Can be updated without replacement.

Defaults to "[]".

List contents:

  • *

    Map value expected.

    Can be updated without replacement.

    Map properties:

    • direction

      The direction in which the security group rule is applied. For a compute instance, an ingress security group rule matches traffic that is incoming (ingress) for that instance. An egress rule is applied to traffic leaving the instance.

      String value expected.

      Can be updated without replacement.

      Defaults to "ingress".

      Allowed values: ingress, egress

    • ethertype

      Ethertype of the traffic.

      String value expected.

      Can be updated without replacement.

      Defaults to "IPv4".

      Allowed values: IPv4, IPv6

    • port_range_max

      The maximum port number in the range that is matched by the security group rule. The port_range_min attribute constrains the port_range_max attribute. If the protocol is ICMP, this value must be an ICMP type.

      Integer value expected.

      Can be updated without replacement.

      The value must be in the range 0 to 65535, include 1 and 65535.

    • port_range_min

      The minimum port number in the range that is matched by the security group rule. If the protocol is TCP or UDP, this value must be less than or equal to the value of the port_range_max attribute. If the protocol is ICMP, this value must be an ICMP type.

      Integer value expected.

      Can be updated without replacement.

      The value must be in the range 0 to 65535, include 1 and 65535.

    • protocol

      The protocol that is matched by the security group rule. Valid values include tcp, udp, and icmp.

      String value expected.

      Can be updated without replacement.

    • remote_group_id

      The remote group ID to be associated with this security group rule. If no value is specified then this rule will use this security group for the remote_group_id. The remote mode parameter must be set to "remote_group_id".

      String value expected.

      Can be updated without replacement.

    • remote_ip_prefix

      The remote IP prefix (CIDR) to be associated with this security group rule.

      String value expected.

      Can be updated without replacement.

    • remote_mode

      Whether to specify a remote group or a remote IP prefix.

      String value expected.

      Can be updated without replacement.

      Defaults to "remote_ip_prefix".

      Allowed values: remote_ip_prefix, remote_group_id

HOT Syntax

heat_template_version: 2014-10-16
...
resources:
  ...
  the_resource:
    type: OS::Neutron::SecurityGroup
    properties:
      description: String
      name: String
      rules: [{"remote_group_id": String, "port_range_max": Integer, "remote_ip_prefix": String, "protocol": String, "port_range_min": Integer, "ethertype": String, "direction": String, "remote_mode": String}, {"remote_group_id": String, "port_range_max": Integer, "remote_ip_prefix": String, "protocol": String, "port_range_min": Integer, "ethertype": String, "direction": String, "remote_mode": String}, ...]
last updated: 2024-05-01 00:44