Skip to main content

Overview

Xloud Networking enforces security at the network plane without requiring agents inside virtual machines. Stateful security groups operate at the virtual switch level, FWaaS policies apply at the virtual router, port security prevents spoofing attacks, and VLAN/VXLAN segmentation isolates tenant traffic at the data plane. This agentless model provides consistent enforcement regardless of guest OS configuration.
Prerequisites
  • An active Xloud project with at least one network and subnet
  • member or admin role in Xloud Identity
  • For FWaaS: XPCI license with enable_neutron_fwaas: "yes" in XDeploy configuration
  • For VPNaaS: enable_neutron_vpnaas: "yes" in XDeploy configuration

Network Security Architecture

LayerControlEnforcement Point
L3 routingFirewall as a ServiceVirtual router
L3/L4 filteringSecurity groupsVirtual switch port
L2 anti-spoofingPort securityVirtual switch port
L2 isolationVLAN/VXLAN segmentationOverlay network
L3 remote accessVPN as a ServiceVirtual router

Security Groups

Security groups implement stateful L3/L4 packet filtering. Each rule specifies a direction (ingress/egress), protocol, port range, and a source/destination specifier (CIDR or another security group). Return traffic for allowed sessions is automatically permitted.

Open Security Groups

Navigate to Project → Network → Security Groups. The default security group allows all outbound traffic and permits inbound traffic only from other members of the same group.

Create a purpose-specific group

Click Create Security Group. Give it a meaningful name such as database-servers or load-balancer-frontend.

Add rules

Click Manage RulesAdd Rule. Define each rule:
FieldDescription
RuleProtocol preset (SSH, HTTP, HTTPS) or Custom
DirectionIngress (inbound) or Egress (outbound)
Open PortPort or port range
RemoteCIDR for IP-based restriction, or another Security Group for group-based restriction
Use security group references as the Remote source instead of CIDR ranges when possible. This allows membership-based access that scales automatically as instances are added to the referenced group.

Apply to instance

In Project → Compute → Instances, open the instance menu and select Edit Security Groups. Assign the new group and remove overly permissive groups.
Test connectivity from an allowed host and confirm blocked traffic is dropped silently.

Firewall as a Service (FWaaS)

Enterprise FWaaS applies stateless or stateful L3 firewall policies at the virtual router. Unlike security groups (which operate per port), FWaaS policies apply to all traffic traversing a router, making them suitable for north-south perimeter control and micro-segmentation between subnets.

Create firewall rules

Navigate to Project → Network → Firewalls → Rules and click Add Rule:
FieldExample
Nameblock-telnet
ProtocolTCP
Destination Port23
ActionDeny
EnabledYes

Create a firewall policy

Navigate to Firewall Policies → Create Policy. Add the rules in priority order (first match wins).

Create a firewall group

Navigate to Firewall Groups → Create Group. Associate the ingress and egress policies, then attach the firewall group to one or more router ports.
Test blocked traffic — packets matching deny rules are dropped at the router without reaching the destination VM’s security group layer.

Port Security and Anti-Spoofing

Port security prevents virtual machines from injecting packets with spoofed source MAC or IP addresses. This blocks ARP poisoning, DHCP starvation, and IP spoofing attacks. Port security is enabled by default on all ports. To verify:
Check port security status
openstack port show <port-id> --column port_security_enabled --format value
# Returns: True

Allowed Address Pairs

For use cases requiring secondary IPs (virtual IPs, HAProxy floating IPs, Keepalived), add allowed address pairs:
Add allowed address pair for VIP
openstack port set <port-id> \
  --allowed-address ip-address=192.168.10.100,mac-address=fa:16:3e:xx:xx:xx
Disabling port security (openstack port set --no-port-security-enabled) removes all anti-spoofing controls and bypasses security group enforcement on that port. Only disable port security when explicitly required (e.g., NFV workloads managing their own forwarding).

Network Segmentation (VLAN and VXLAN)

Tenant networks are isolated at the data plane using VLAN tags (provider networks) or VXLAN encapsulation (overlay networks). Each tenant network has a unique segmentation ID that prevents cross-tenant traffic even on shared physical infrastructure.
Network TypeSegmentationIsolation Scope
VLAN802.1Q tag (1–4094)Hardware-enforced on physical switches
VXLAN24-bit VNI (up to 16M segments)Software-defined, scales across hypervisors
GRETunnel keyPoint-to-point overlay
Create an isolated tenant network
openstack network create \
  --provider-network-type vxlan \
  --description "Isolated production network" \
  prod-internal-net

openstack subnet create \
  --network prod-internal-net \
  --subnet-range 172.16.10.0/24 \
  --dns-nameserver 8.8.8.8 \
  --no-dhcp-dns \
  prod-internal-subnet

DDoS Protection

Xloud Networking provides rate limiting at the port and router levels to mitigate volumetric attacks:
Apply QoS bandwidth limit to a port
openstack qos policy create ddos-protection

openstack qos rule create \
  --type bandwidth-limit \
  --max-kbps 100000 \
  --max-burst-kbps 200000 \
  ddos-protection

openstack port set <port-id> --qos-policy ddos-protection
For infrastructure-level DDoS protection, use the XIMP monitoring integration to detect anomalous traffic patterns and trigger automated response playbooks.

VPN as a Service

Enterprise VPN as a Service extends tenant networks to remote sites over IPsec tunnels without exposing public floating IPs.
Create an IPsec VPN connection
# Create IKE policy
openstack vpn ikepolicy create \
  --ike-version v2 \
  --encryption-algorithm aes-256 \
  --auth-algorithm sha-256 \
  --pfs group14 \
  ike-aes256-sha256

# Create IPsec policy
openstack vpn ipsecpolicy create \
  --transform-protocol esp \
  --encryption-algorithm aes-256 \
  --auth-algorithm sha-256 \
  --pfs group14 \
  ipsec-aes256-sha256

# Create VPN service on the router
openstack vpn service create \
  --router <router-id> \
  --subnet <local-subnet-id> \
  prod-vpn-service

# Create site connection
openstack vpn ipsec site connection create \
  --vpnservice prod-vpn-service \
  --ikepolicy ike-aes256-sha256 \
  --ipsecpolicy ipsec-aes256-sha256 \
  --peer-address <remote-gateway-ip> \
  --peer-cidr <remote-subnet-cidr> \
  --psk "<pre-shared-key>" \
  site-to-hq

Next Steps

VM Security

Hypervisor isolation, vTPM, and anti-affinity workload placement

Infrastructure Security

TLS configuration and endpoint hardening

Networking Service

Complete networking service documentation with user and admin guides

Hardening Guide

Pre-deployment hardening checklist for compute and network nodes