A security group is a collection of network access rules, known as security group rules, which limits the types of traffic an instance can send or receive. In the reference architecture, security group rules are converted to iptables rules that are applied on the compute nodes hosting the instances. Each tenant is provided with a default security group that can be modified by users within the tenant. Neutron provides an API to create, modify, apply, and delete security group rules.

There are multiple ways to apply security groups to instances. For example, one or more instances, usually of similar functionality or role, can be placed in a security group. Security group rules can reference IPv4 and IPv6 hosts and networks as well as security groups themselves. Referencing a particular security group in a rule, rather than a particular host or network, frees the user from having to specify individual addresses. Neutron constructs the filtering rules applied on the...