andrijapanicsb commented on issue #4402: URL: https://github.com/apache/cloudstack/issues/4402#issuecomment-717884136
Please see docs before confirming an issue @Spaceman1984 http://docs.cloudstack.apache.org/en/latest/adminguide/networking/virtual_private_cloud_config.html?highlight=acl#about-network-acl-lists Specifically: `The default Network ACL is used when no ACL is associated. Default behavior is all the incoming traffic is blocked and outgoing traffic is allowed from the tiers...:` With this in mind ^^^, conduct the testing... - it is expected that your noACL tier was able to ping anything outside But the other "blocked by default..." egress issue: I think the documentaion is not correct - i.e. for VPC networks, I don't recall that there was ever an implementation that will by default block outgoing traffic (egress) on ACLS where some Egress rules allow some access - i.e. you would always want to add 0.0.0.0/0 deny rule - it's an EMPTY ALC that you want to populate your way - just like on any other router - you will explicitely add deny to 0.0.0.0:0 as the last rule in the ACL. I would prefer that we update the documentation on VPC ALC, instead of chaning the behaviour, unless some of you can confirm that this worked differently in previous ACS versions @rvalle ? ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
