Summary
It is important to know the differences between the two methods of securing network traffic to instances. Where security group rules are implemented at the network bridge connected to an instance on a compute node, firewall rules created with FWaaS are implemented on a Neutron router at the edge of the tenant network. FWaaS is not intended to replace security group functionality, and it serves more as a complement to security groups, especially in its current state. FWaaS is currently lacking functionality that security groups provide, including the inability to specify the direction of traffic that should be filtered. The opposite can said for security groups, too, as they lack the ability to create specific deny rules as all traffic is denied by default.
FWaaS is considered experimental in the Icehouse release of OpenStack and possibly beyond, and it lacks features and functionalities that could make it useable and reliable in a production setting. Like other OpenStack projects...
