Hello I have been hitting problems with Network ACL rules in VPCs with 4.7 ( looked at the code for 4.8 and it looks similar). It seems that the rule ordering is actually inverted on the VR. So the rules with higher rule numbers are getting checked before the lower ones. As an example, this can be problematic if you want a DENY all and to whitelist certain traffic. Also, changing the rule number does not apply the new order to the VR.
Anyone else having problems? Patrick
