Thanks for reply. How should we block a egress CIDR from specific source CIDR when default egress policy of the network offering is "Allow"? What will be behavior of Egress rules in a SG on the network?
On Sat, Nov 2, 2019 at 12:09 AM Andrija Panic <[email protected]> wrote: > By the definition, with Shared Networks, VR is providing **ONLY** > DNS/DHCP/USER-DATA services to VMs in the shared network - i.e. traffic > NEVER passes through the VR (your VR and all your user VMs have an IP on > that shared network - they are just "peers" so to speak, VR is not a > router, it's just a dhcp/dns server). > > If you are using Security Groups on that shared network, then you can > achieve what you want via SG, otherwise, your VMs are using (as you stated) > external gateway, which you don't control. > > If you are NOT using SG, but are brave enough and have awesome automation > skills - you can try to do traffic limiting on the hypervisor hosts (which > is exactly what SG do - SG is just a collection of iptables/ebtables rules > on hypervisors) > Though I would not advise doing so...^^^ > > Best, > Andrija > > On Fri, 1 Nov 2019 at 21:21, Fariborz Navidan <[email protected]> > wrote: > > > Yes, it is a shared network with external gateway. Indeed hosts are > > connected to a vRack on OVH network. Gateway address is externally > > addressed as last usable IP of the IP block. On CloudStack side, we have > I > > have configured several IP address ranges on the same shared guest > network > > in an advanced zone. > > > > What I want to do is, to block some outgoing traffic from specific source > > IPs rto specific destination IP ranges. I want to know that I should > place > > firewall rule on theVR or on the host itself. The cloud is currently > > running with one host but I should be able to generalize this rules for > > further scaling when more hosts are added in future. > > > > Thanks > > > > On Fri, Nov 1, 2019 at 10:30 PM Andrija Panic <[email protected]> > > wrote: > > > > > Can you explain your setup a bit more - I'm not clear with "gateway > > address > > > of my guest network is not inside the cloud and it is > > > not under my management" - is this a shared network, using some > external > > > gateway (which is a normal setup for Shared network)? > > > > > > On Fri, 1 Nov 2019 at 16:21, Fariborz Navidan <[email protected]> > > > wrote: > > > > > > > Hello, > > > > > > > > The gateway address of my guest network is not inside the cloud and > it > > is > > > > not under my management. My question is that does guest traffic still > > > touch > > > > the virtual router and can I place custom firewall rules between > guests > > > and > > > > outside network on VR? > > > > > > > > > > > > > -- > > > > > > Andrija Panić > > > > > > > > -- > > Andrija Panić >
