Re: [D] data-server. is not reachable in some vpc isolated guest networks [cloudstack]

Tue, 21 Oct 2025 23:29:34 -0700 


GitHub user HeinzM added a comment to the discussion: data-server. is not 
reachable in some vpc isolated guest networks

@kiranchavala 
I got ingress rules for port 50000-50001 and 6443 at the control plane

```hcl
resource "cloudstack_network_acl_rule" "k8s_cp01_ing10" {
  acl_id  = cloudstack_network_acl.k8s_acl_cp.id
  project = var.project_id
  rule {
    action       = "allow"
    cidr_list    = ["10.0.0.0/8"]
    protocol     = "tcp"
    ports        = ["6443"]
    traffic_type = "ingress"
  }
}

resource "cloudstack_network_acl_rule" "k8s_cp01_ing20" {
  acl_id     = cloudstack_network_acl.k8s_acl_cp.id
  depends_on = [cloudstack_network_acl_rule.k8s_cp01_ing10]
  project    = var.project_id
  rule {
    action       = "allow"
    cidr_list    = [var.k8s_vpc01_cidr]
    protocol     = "tcp"
    ports        = ["50000-50001"]
    traffic_type = "ingress"
  }
}
```

and for worker:

```hcl
resource "cloudstack_network_acl_rule" "k8s_wn01_ing10" {
  count   = var.k8s_nw_wn_count
  acl_id  = cloudstack_network_acl.k8s_acl_wn[count.index].id
  project = var.project_id
  rule {
    action       = "allow"
    cidr_list    = ["${var.k8s_nw_wn_base_cidr}.0/19"]
    protocol     = "tcp"
    ports        = ["50000"]
    traffic_type = "ingress"
  }
}

# Hint: Use 0.0.0.0/0 or better fitting range when having static NAT enabled
resource "cloudstack_network_acl_rule" "k8s_wn01_ing20" {
  count      = var.k8s_nw_wn_count
  acl_id     = cloudstack_network_acl.k8s_acl_wn[count.index].id
  depends_on = [cloudstack_network_acl_rule.k8s_wn01_ing10]
  project    = var.project_id
  rule {
    action       = "allow"
    cidr_list    = ["10.0.0.0/8"]
    protocol     = "tcp"
    ports        = ["80"]
    traffic_type = "ingress"
  }
}

resource "cloudstack_network_acl_rule" "k8s_wn01_ing30" {
  count      = var.k8s_nw_wn_count
  acl_id     = cloudstack_network_acl.k8s_acl_wn[count.index].id
  depends_on = [cloudstack_network_acl_rule.k8s_wn01_ing20]
  project    = var.project_id
  rule {
    action       = "allow"
    cidr_list    = ["10.0.0.0/8"]
    protocol     = "tcp"
    ports        = ["443"]
    traffic_type = "ingress"
  }
}

```

I think I don't need any more acls, because data-server. is mapped to a ip 
adress which is intern to every isolated subnet.


GitHub link: 
https://github.com/apache/cloudstack/discussions/11879#discussioncomment-14747412

----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: [email protected]

Reply via email to