Prior to Neutron, the Nova (Compute) service handled the securing of network traffic to and from instances through the use of security groups. A security group is a collection of network access rules that limit the types of traffic an instance can send or receive. Neutron provides an API to create, modify, apply, and delete security group rules.

When a port is created in Neutron, it is associated with a default security group unless a specific security group is specified. The default security group drops all ingress traffic and allows all egress traffic from instances. In addition, standard rules are applied to every instance that prohibit IP, DHCP, and MAC address spoofing. Rules can be added to the default security group to change its behavior. Once a security group has been applied to a Neutron port, the corresponding security group rules are translated by Neutron into iptables rules that are then applied to the respective compute node hosting the instances...