You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Pratik Chandrakar <ch...@gmail.com> on 2023/05/17 05:58:15 UTC
Managing Security bewteen account in Advanced Zone without SG
Hi all,
Curious to know how others are managing isolation between VMs of different
accounts in the Advanced Zone without SG deployment, as most users opt for
default_allow policy for their VPC. Because of default_allow policy all
ports are opened between public ip (static nat) irrespective of VLAN used
in VPC. Is there any option to remove default_allow policy for VPC so that
it can't be selected or any other method available?
Please advise
--
*Regards,*
*Pratik Chandrakar*
Re: Managing Security bewteen account in Advanced Zone without SG
Posted by Jithin Raju <ji...@shapeblue.com>.
Hi Pratik,
You probably want to create a new custom ACL list and add your own ACL rules. Go to the tier and replace the ‘default_allow’ ACL list with the new one.
-Jithin
From: Pratik Chandrakar <ch...@gmail.com>
Date: Wednesday, 17 May 2023 at 8:33 AM
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
Subject: Re: Managing Security bewteen account in Advanced Zone without SG
Hi Loges,
Thanks for the update.
On Wed, May 17, 2023 at 12:59 PM Logeswaran T
<lo...@assistanz.com.invalid> wrote:
> Hi Pratik,
>
> We now have a request open in cloudstack github for a VPC ACL issue.
>
> https://github.com/apache/cloudstack/issues/7483
>
> The changes are tracked in this thread.
>
> Regards,
> Loges
> www.stackbill.com<http://www.stackbill.com>
>
> On Wed, May 17, 2023 at 11:28 AM Pratik Chandrakar <
> chandrakarpratik@gmail.com> wrote:
>
> > Hi all,
> > Curious to know how others are managing isolation between VMs of
> different
> > accounts in the Advanced Zone without SG deployment, as most users opt
> for
> > default_allow policy for their VPC. Because of default_allow policy all
> > ports are opened between public ip (static nat) irrespective of VLAN used
> > in VPC. Is there any option to remove default_allow policy for VPC so
> that
> > it can't be selected or any other method available?
> > Please advise
> >
> > --
> > *Regards,*
> > *Pratik Chandrakar*
> >
>
> --
>
>
>
>
> *This E-mail is confidential. It may also be legally privileged. If you
> are not the addressee you may not copy, forward, disclose or use any part
> of
> it. If you have received this message in error, please delete it and all
> copies
> from your system and notify the sender immediately by return E-mail.
> Internet
> communications cannot be guaranteed to be timely, secure, error or
> virus-free.
> The sender does not accept liability for any errors or
> omissions*
>
--
*Regards,*
*Pratik Chandrakar*
Re: Managing Security bewteen account in Advanced Zone without SG
Posted by Pratik Chandrakar <ch...@gmail.com>.
Hi Loges,
Thanks for the update.
On Wed, May 17, 2023 at 12:59 PM Logeswaran T
<lo...@assistanz.com.invalid> wrote:
> Hi Pratik,
>
> We now have a request open in cloudstack github for a VPC ACL issue.
>
> https://github.com/apache/cloudstack/issues/7483
>
> The changes are tracked in this thread.
>
> Regards,
> Loges
> www.stackbill.com
>
> On Wed, May 17, 2023 at 11:28 AM Pratik Chandrakar <
> chandrakarpratik@gmail.com> wrote:
>
> > Hi all,
> > Curious to know how others are managing isolation between VMs of
> different
> > accounts in the Advanced Zone without SG deployment, as most users opt
> for
> > default_allow policy for their VPC. Because of default_allow policy all
> > ports are opened between public ip (static nat) irrespective of VLAN used
> > in VPC. Is there any option to remove default_allow policy for VPC so
> that
> > it can't be selected or any other method available?
> > Please advise
> >
> > --
> > *Regards,*
> > *Pratik Chandrakar*
> >
>
> --
>
>
>
>
> *This E-mail is confidential. It may also be legally privileged. If you
> are not the addressee you may not copy, forward, disclose or use any part
> of
> it. If you have received this message in error, please delete it and all
> copies
> from your system and notify the sender immediately by return E-mail.
> Internet
> communications cannot be guaranteed to be timely, secure, error or
> virus-free.
> The sender does not accept liability for any errors or
> omissions*
>
--
*Regards,*
*Pratik Chandrakar*
Re: Managing Security bewteen account in Advanced Zone without SG
Posted by Logeswaran T <lo...@assistanz.com.INVALID>.
Hi Pratik,
We now have a request open in cloudstack github for a VPC ACL issue.
https://github.com/apache/cloudstack/issues/7483
The changes are tracked in this thread.
Regards,
Loges
www.stackbill.com
On Wed, May 17, 2023 at 11:28 AM Pratik Chandrakar <
chandrakarpratik@gmail.com> wrote:
> Hi all,
> Curious to know how others are managing isolation between VMs of different
> accounts in the Advanced Zone without SG deployment, as most users opt for
> default_allow policy for their VPC. Because of default_allow policy all
> ports are opened between public ip (static nat) irrespective of VLAN used
> in VPC. Is there any option to remove default_allow policy for VPC so that
> it can't be selected or any other method available?
> Please advise
>
> --
> *Regards,*
> *Pratik Chandrakar*
>
--
*This E-mail is confidential. It may also be legally privileged. If you
are not the addressee you may not copy, forward, disclose or use any part
of
it. If you have received this message in error, please delete it and all
copies
from your system and notify the sender immediately by return E-mail.
Internet
communications cannot be guaranteed to be timely, secure, error or
virus-free.
The sender does not accept liability for any errors or
omissions*