Yes, I also found that confusing.
So, I decided to create one ACL per tier, with the same name as the tier. Since my rules are created by (the fantastic ;) ansible modules... I can have as many as I want, pretty fine grained. I have checked that the ACLs and tiers are (still) assigned correctly too. So, I don't expect those default ACLs to be in use at all. But maybe I am misunderstanding something ?! Since I remember this working before I have destroyed the environment and I am going to re-deploy step by step.... see where this breaks. Regards, Rafael On Mon, 2020-10-12 05:53 PM, Rene Moser <m...@renemoser.net> wrote: > On 12.10.20 17:30, rva...@privaz.io.INVALID wrote: > > Am I missing something? > > > It's been a while but I remember the default egress rule is "allow from > all". > > https://docs.cloudstack.apache.org/en/4.14.0.0/adminguide/networking/virtual_private_cloud_config.html?#about-network-acl-lists > > The doc however seems to be inconsistent, the table says "Deny all" for > outgoing. I guess this is a typo in the table there. > > Regards > René > > >