Description of problem: Maybe I'm missing something, but when I was trying to set up some security rules through Horizon, had issues, and tried to switch to CLI, I couldn't figure out how to make an egress rule through nova secgroup-add-rule, everything was ingress, with no option to specify egress. From the docs: http://docs.openstack.org/cli-reference/content/novaclient_commands.html nova secgroup-add-rule command usage: nova secgroup-add-rule <secgroup> <ip-proto> <from-port> <to-port> <cidr> Add a rule to a security group. Positional arguments <secgroup> ID or name of security group. <ip-proto> IP protocol (icmp, tcp, udp). <from-port> Port at start of range. <to-port> Port at end of range. <cidr> CIDR for address range. Shouldn't it be possible to specify an egress rule through the CLI? As part of the creation in Horizon, you pick EGRESS/INGRESS along with the other fields that the add-rule command lets you configure.
If you were able to specify egress/ingress in Horizon, it means that your deployment was using Neutron instead of nova-network for networking. Egress rules are only supported by Neutron. The CLI command you were using intentionally only supports ingress. To define egress rules from the CLI, you'll have to use the neutron CLI command, which talks directly to the Neutron API, instead of through Nova's API.