1- Create an Security Group
2- go the the VM Instance and edit the Security Group ( remove the default and add the new one )
3- On Contrail the SG will be apply at the Port level
OpenStack Fundamentals: Managing Security Groups Using Dashboard
3- On Contrail the SG will be apply at the Port level
( default SG will be use, no need to select it at the creation time on the Dashboard of OpenStack )