Think back to Chapter 3, Neutron API Basics, where we looked at the logical Neutron data model that consists of networks, subnets, and ports. Every logical Neutron port related to a virtual machine instance equates to a virtual network interface on a compute node that gets connected to a virtual switch, similar to what is pictured here:

In traditional environments, users rely on traffic filtering performed at the edge of the network on a physical firewall device or within the guest operating system using a software-based firewall such as iptables or Windows Firewall. In an OpenStack-based cloud, Neutron provides an API for applying OS-agnostic traffic filters at each port as it connects to the virtual switch rather than applying them within the guest OS, or anywhere else for that matter, using what are called security groups. A security group is a collection of network access rules known as security group rules applied to Neutron ports, and these limit the types...