Security Groups Fundamentals
This screencast demonstrates how to implement network security in OpenNebula using Security Groups, which function as host-level firewalls that filter traffic before it reaches virtual machine network cards. Security Groups operate on a restrictive-by-default model, meaning all traffic is denied unless explicitly allowed through defined rules. The demonstration covers the complete workflow from creating security groups with specific inbound and outbound rules to assigning them at both the virtual network level and individual VM level. The tutorial uses a practical scenario with three VMs on a VXLAN EVPN network to illustrate how security groups control access to a web server running on OpenSUSE 15.
Implementation and Verification
The implementation process involves creating three distinct security groups: an outbound-sg for general internet access attached at the network level, a webserver-sg with SSH and HTTP rules for the server VM, and an rdp-sg for Windows client access. The demonstration shows how to configure rules with various parameters including protocol selection, port ranges, and target networks defined by IP addresses or network ranges. Verification is performed by deploying three VMs and testing connectivity, where one client VM with an automatically assigned IP is blocked from accessing the web server on port 80, while a second client with a specifically allowed IP address successfully connects, confirming that the security group rules are functioning as intended.
