Each instance (node) is associated with a "network" (The project usually comes with a "default" network already defined, and if you create an instance from the web interface without changing the network, the instance will generally be associated with that network.)
Firewalls are a property of the network, so you can define the firewall rules on the network and then any instances associated with that network get those rules (although the firewall rules can also be associated with tags, so you can have the specific rules only apply to a subset of the instances on the network by setting the appropriate tags). So, for example, you can have a firewall rule called "web" that allows connections on TCP port 80 and set the target tags to "webserver". If this firewall is associated with the default network and then you create an instance also associated with the default network, then setting the tag "webserver" on the instance will open TCP:80. In the case of non-jclouds created nodes, you can get the valid firewall rules from a combination of the network and the tags on the instance/firewall. -Rick On Tue, Mar 18, 2014 at 4:06 PM, Andrew Phillips <[email protected]>wrote: > Does this make sense? Am I missing something obvious, or is there a >> problem here? >> > > Looks like your troubleshooting is pretty spot on ;-) And I'd say (as an > outsider - I didn't implement the code so don't know the exact intention) > it looks like a bug to me. "groupFromMapOrName" definitely can return null, > and InstanceInZoneToNodeMetadata doesn't seem to take that into account. > > It seems that the code requires the name to get the appropriate firewall. > In the case of a non-jclouds created node, what should the firewall logic > do? > > ap >
