Hi Rene, I know what you mean now: the "By default, all incoming traffic to the guest networks is blocked and all outgoing traffic from guest networks is allowed, once you add an ACL rule for outgoing traffic, then only outgoing traffic specified in this ACL rule is allowed, the rest is blocked."
This is how I remembered it. However, It looks like the last bit (once you add an ACL rule for outgoing traffic...) seems to be implemented in isolated networks but not in VPC tiers. I managed to achieve the desired behaviour by adding a: 9999 0.0.0.0/0 Egreess Deny ALL ALL Rule to my ACLs in VPC tiers, even thou there is already another Egress rule present. However the Isolated networks that I have do not need it, as they do honour the previous specification. I am going to create an issue and see if the team can reproduce this behaviour. Regards, Rafael On Mon, 2020-10-12 05:53 PM, Rene Moser <m...@renemoser.net> wrote: > On 12.10.20 17:30, rva...@privaz.io.INVALID wrote: > > Am I missing something? > > > It's been a while but I remember the default egress rule is "allow from > all". > > https://docs.cloudstack.apache.org/en/4.14.0.0/adminguide/networking/virtual_private_cloud_config.html?#about-network-acl-lists > > The doc however seems to be inconsistent, the table says "Deny all" for > outgoing. I guess this is a typo in the table there. > > Regards > René > > >