Re: [I] Support firewall rules on Public IP in VPC [cloudstack]

Sat, 07 Jun 2025 00:44:09 -0700 


weizhouapache commented on issue #8863:
URL: https://github.com/apache/cloudstack/issues/8863#issuecomment-2952103869

   > Not sure if this is the correct place to ask or not, but with my current 
issue of locking down a Load Balancer in a VPC network. I've ran into issues 
where the VPC network ACL doesn't work for a Load Balancer and I'm not sure 
what the expected behavior should be?
   > 
   > If I create or [update source 
CIDR](https://github.com/apache/cloudstack/pull/10968) of the LB rule it will 
restrict based on the source CIDR, however nothing in the VPC ACL will actually 
restrict access to my LB
   > 
   > This is completely different behavior when it's a non-VPC. A non-VPC 
network will actually use the firewall correctly to restrict the access.
   
   @CodeBleu 
   you are right.
   It is a known issue that network acl does not apply on LB in VPC
   https://github.com/apache/cloudstack/discussions/10507
   
   > 
   > I believe the Load Balancer source CIDR itself should be the first line of 
defense and if it is set to (0.0.0.0/0 - default), then the firewall ( non-vpc 
) or ACL ( VPC ) should be the next line of defense.
   > 
   
   unfortunately, source CIDRs and network ACLs are configured inside VR 
differently.
   there is not iptables rules for the source CIDRs of LB, there are no haproxy 
configuration for network ACL either
   you can refer to https://github.com/apache/cloudstack/pull/6460
   
   > Any help in the direction this should go would be much appreciated.
   > 
   > I'm needing this to work for the cloudstack-kubernetes-provider so it can 
set the LB source CIDR on creation, as the creation of the ACL's are not 
working and just leaves things wide open based on the default source CIDR of 
the LB being open by default. [@Pearl1594](https://github.com/Pearl1594) It 
appears you last worked on 
[this](https://github.com/apache/cloudstack-kubernetes-provider/pull/69), and 
hopefully you can be of some help here.
   
   I'd like to see firewall rules support on Public IPs in VPC, similar to 
Public IPs in isolated networks.
   however, for now you have to configure source CIDR for the LB


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to