diff --git a/sahara/service/direct_engine.py b/sahara/service/direct_engine.py
index 1e91dba04e..6e6c537800 100644
--- a/sahara/service/direct_engine.py
+++ b/sahara/service/direct_engine.py
@@ -29,6 +29,7 @@ from sahara.service import engine as e
 from sahara.service import networks
 from sahara.service import volumes
 from sahara.utils import general as g
+from sahara.utils.openstack import neutron
 from sahara.utils.openstack import nova
 
 
@@ -344,6 +345,16 @@ class DirectEngine(e.Engine):
         nova_client.security_group_rules.create(
             security_group.id, 'tcp', SSH_PORT, SSH_PORT, "0.0.0.0/0")
 
+        # open all traffic for private networks
+        if CONF.use_neutron:
+            for cidr in neutron.get_private_network_cidrs(node_group.cluster):
+                for protocol in ['tcp', 'udp']:
+                    nova_client.security_group_rules.create(
+                        security_group.id, protocol, 1, 65535, cidr)
+
+                nova_client.security_group_rules.create(
+                    security_group.id, 'icmp', -1, -1, cidr)
+
         # enable ports returned by plugin
         for port in node_group.open_ports:
             nova_client.security_group_rules.create(
diff --git a/sahara/utils/openstack/heat.py b/sahara/utils/openstack/heat.py
index 3bd547eed9..aea15f70ad 100644
--- a/sahara/utils/openstack/heat.py
+++ b/sahara/utils/openstack/heat.py
@@ -25,6 +25,7 @@ from sahara.openstack.common import log as logging
 from sahara.utils import files as f
 from sahara.utils import general as g
 from sahara.utils.openstack import base
+from sahara.utils.openstack import neutron
 
 
 CONF = cfg.CONF
@@ -176,13 +177,24 @@ class ClusterTemplate(object):
         yield _load_template('security_group.heat', fields)
 
     def _serialize_auto_security_group_rules(self, ng):
+        create_rule = lambda cidr, proto, from_port, to_port: {
+            'remote_ip_prefix': cidr,
+            'protocol': proto,
+            'port_range_min': from_port,
+            'port_range_max': to_port}
+
         rules = []
         for port in ng.open_ports:
-            rules.append({"remote_ip_prefix": "0.0.0.0/0", "protocol": "tcp",
-                          "port_range_min": port, "port_range_max": port})
+            rules.append(create_rule('0.0.0.0/0', 'tcp', port, port))
 
-        rules.append({"remote_ip_prefix": "0.0.0.0/0", "protocol": "tcp",
-                      "port_range_min": SSH_PORT, "port_range_max": SSH_PORT})
+        rules.append(create_rule('0.0.0.0/0', 'tcp', SSH_PORT, SSH_PORT))
+
+        # open all traffic for private networks
+        if CONF.use_neutron:
+            for cidr in neutron.get_private_network_cidrs(ng.cluster):
+                for protocol in ['tcp', 'udp']:
+                    rules.append(create_rule(cidr, protocol, 1, 65535))
+                rules.append(create_rule(cidr, 'icmp', -1, -1))
 
         return json.dumps(rules)
 
diff --git a/sahara/utils/openstack/neutron.py b/sahara/utils/openstack/neutron.py
index 42dcd5a7c8..dd7506736c 100644
--- a/sahara/utils/openstack/neutron.py
+++ b/sahara/utils/openstack/neutron.py
@@ -210,3 +210,16 @@ class NetcatSocket:
     def reset(self):
         self._terminate()
         self._create_process()
+
+
+def get_private_network_cidrs(cluster):
+    neutron_client = client()
+    private_net = neutron_client.show_network(
+        cluster.neutron_management_network)
+
+    cidrs = []
+    for subnet_id in private_net['network']['subnets']:
+        subnet = neutron_client.show_subnet(subnet_id)
+        cidrs.append(subnet['subnet']['cidr'])
+
+    return cidrs