GitHub user bradh352 added a comment to the discussion: private gateway egress deny ACL blocks all traffic?
> > I've observed that when creating a private gateway if my ACL has a deny > > egress all rule at the end, then none of the allowed traffic seems to work > > with my private gateway. This is different than my network tiers where I > > always have a deny egress all rule at the end. > > what are the differences ? Zero, I literally used my normal common ACL rules that I apply to all zones/tiers, plus any zone-specific rules. I just narrowed it down to the egress rule being the culprit. Another interesting note, is in the same subnet as the private gateway, I can't even ping the private gateway's ip address with the egress deny all rule in place. Its like its blackholed. I've attached my working ACL rules. The non-working rules just have one more entry at the bottom with a rule number of 65500 that is a deny egress protocol all rule. [AclRules-hypervisor-346df974-6f58-4a8e-94ab-a6559e7bbf2f.csv](https://github.com/user-attachments/files/22739937/AclRules-hypervisor-346df974-6f58-4a8e-94ab-a6559e7bbf2f.csv) > > > Confusingly as well, there appears to be another unrelated bug. If you > > switch to the default_allow rule for testing, then switch back to the ACL > > that isn't working ... it continues to work! Ugh .... the only way to know > > for sure if it is persistent is to restart the VPC ... who knows what other > > rules aren't really being set. This seems like a major issue. > > This issue should have been fixed by #9374 (in 4.19.2) and #10241 (4.20.1) > Which ACS version do you use ? The latest, 4.21.0. Also, the referenced issues appear to be applying an ACL when there are no rules. There are always rules in my circumstance. > > > Anyone else having this issue or have any hints? I am using a redundant VPC > > if that is somehow related. GitHub link: https://github.com/apache/cloudstack/discussions/11796#discussioncomment-14613160 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
