extended ACLs for VPC with VPC router

[ch...@zv.fraunhofer.de]

Hi,

while fiddling around with cloudstack and a zone with advanced networking, I noticed that in a VPC I can only create ACLs, which are in Cisco terminology standard ACLs. Meaning, the rules always apply to the whole tier/network. E.g. an ingress rule allowing TCP/22 from CIDR 0.0.0.0/0 will always allow ssh traffic to all VMs in the tier or an egress rule limiting traffic to a certain destination CIDR limits the traffic for all VMs in that tier.

However, what I’d like to implement is an extended ACL (in Cisco terminology) that also allows for specifying the source and destination  IPs and ports. For example, an ingress rule that allows only SSH to a certain  VM in a VPC tier or a rule allowing specific traffic between two VMs in two different tiers in the VPC, like I could do with basic iptables.

Any ideas how to realize such a setup? 

I know that I could realize this for traffic coming from the outside by using static NAT and the firewall of the virtualRouter but then I do not have the VPC feature, for which the VirtualRouter unfortunately does not support firewalling but only  (simple) ACLs. 


Cheers, Christian