cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Falk <>
Subject VPC Firewall Rule Limitations
Date Wed, 13 May 2015 17:47:17 GMT
Hi all, 

I've run into some limitations in the firewall rule capabilities in the VPC side that I'm
hoping could be addressed in a future release. For VPC networks, when configuring ACL for
tiers you can only manage tier-wide destinations for inbound or sources for outbound. 

What would it take to build in more granularity to these options? 

For example, in a tier with one web server and one mail server, I have to allow Inbound, from, on TCP 25, 80, 443 etc. This opens these ports to *all* instances in the tier,
assuming they don't have their own OS-level firewalls running. Now of course only instances
with Static NAT configured will pass traffic but that still permits port 25 to the web server
and 80/443 to the FTP even if I don't want that. 

Typical firewall rule sets allow source/destination to be specified, so that we could open
port 25 to the FTP server IP only, and port 80/443 to the web server only. 

The current rules are confusing for a new user with networking background. You have to understand
that when selecting "Ingress" your specified CIDR is a *source* but when specifying "Egress"
it is the destination CIDR. 

Thanks for the consideration, 

Christopher Falk 
Director, Technical Operations 

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message