Description of problem:

AWS allows its customers to configure inbound traffic filters on VMs to allow traffic from load balancers only. In OpenStack we can modify VM's security group and add a rule to allow certain type of traffic from some other security group. It is possible to use LB's VIP port's SG and achieve the same goal.

The problem is that load balancer's security groups for VIP ports are generated dynamically and described configuration process is not straighforward: customers need to add SG rule after every LB is created, get its SG ID and modify VM's SG. What if there are different groups of VMs?

It would be great to allow customers to add some existing SG to LB's VIP port when LB is created or modified (in addition to default SG generated automatically). After such change customer will have to create custom SG, set VM's SG rule only once and specify some extra SG when LB is created or modified.