Yes I use them all the time and scripted it all through the API to make it a little like the AWS one
Create a vm and and apply a default security group
Then in the customer interface they can make a security group or more than one
They add rules to the group
Then they assign there VM to the group and i remove the default rule set behind the scene when they assign the group
I dumb it down even more so the in and out policy is drop the customer can only add accept rules
The Difference with AWS Azure etc is that on AWS or Azure the machine has a Private IP address and then you can nat over the public one
I assume what they are doing is creating a Firewall Appliance for each customer and then the rules get added to that appliance so the networking for all that one customers VM go through that appliance then you can NAT over the public network. I saw that Cloudstack does it that way as well
So could be done with pfsence but would take manual work for now the Proxmox Security groups work for me fine
