Hi Hean, In an Advanced Zone with Security Groups enabled, by default, egress traffic from the VM is allowed, while Ingress traffic is denied. Hence, as you rightly mentioned, security group rules are added accordingly. These rules get added on the hypervisor host, and you can verify them, by going into the host and searching for iptables rules corresponding to the VM (internal name - i-x-y-VM). This blog maybe helpful in providing further details: https://shankerbalan.net/blog/cloudstack-advanced-zone-with-security-groups/
Thanks, Pearl ________________________________ From: Hean Seng <[email protected]> Sent: Sunday, September 27, 2020 2:48 PM To: [email protected] <[email protected]> Subject: Cloudstack Advance with Security Group Hi I created advance zone with security group, all working fine. But VMcreated , seems the default security group that assigned to the VM. all accept policy , i understand is Default Deny, and once add in the port in Security Group Ingress and Egress, only is allowed Also, is this rules created at VirtualRouter of the SharedNetwork, or at the Hypervisor? -- Regards, Hean Seng [email protected] www.shapeblue.com 3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK @shapeblue
