Firewall-as-a-Service (FWaaS) in OpenStack provides L3/L4 firewall capabilities at the router port level, complementing security groups which only operate at the VM instance level. FWaaS v2, implemented as a Neutron service plug-in using OVN port groups and ACLs, supports stateful layer 3/4 rules, per-tenant policies, and router-level policy assignment. The guide covers enabling FWaaS in Red Hat OpenStack Services on OpenShift 18 FR4+ via a patch to the OpenStackControlPlane CR, creating firewall rules and policies, and attaching them to router ports. Best practices include combining FWaaS with security groups for defense-in-depth, using stateless SGs alongside FWaaS due to a known compatibility issue, standardizing on FWaaS v2, and enabling logging for observability.
Table of contents
What is FWaaS in OpenStack?Key use casesHow FWaaS worksCreate a firewall for a tenantFWaaS benefits & best practicesFinal thoughtsSort: