You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by nv...@apache.org on 2022/04/21 12:25:40 UTC
[cloudstack-documentation] branch main updated: Additional information and restructurizing II (#249)
This is an automated email from the ASF dual-hosted git repository.
nvazquez pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cloudstack-documentation.git
The following commit(s) were added to refs/heads/main by this push:
new 2bd9446 Additional information and restructurizing II (#249)
2bd9446 is described below
commit 2bd9446444a08e85c70d55992c82625e1ced6fbd
Author: Hudratronium <79...@users.noreply.github.com>
AuthorDate: Thu Apr 21 14:25:34 2022 +0200
Additional information and restructurizing II (#249)
* Update virtual_private_cloud_config.rst
* Update virtual_private_cloud_config.rst
* Update virtual_private_cloud_config.rst
Updated and restructurized text with some more inforamtion regarding ACL
* Update virtual_private_cloud_config.rst
squash typos
---
.../networking/virtual_private_cloud_config.rst | 57 +++++++++++++---------
1 file changed, 34 insertions(+), 23 deletions(-)
diff --git a/source/adminguide/networking/virtual_private_cloud_config.rst b/source/adminguide/networking/virtual_private_cloud_config.rst
index dc37d2f..db799e7 100644
--- a/source/adminguide/networking/virtual_private_cloud_config.rst
+++ b/source/adminguide/networking/virtual_private_cloud_config.rst
@@ -290,34 +290,22 @@ other tiers within the VPC.
Configuring Network Access Control List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Define Network Access Control List (ACL) on the VPC virtual router to
-control incoming (ingress) and outgoing (egress) traffic between the VPC
-tiers, and the tiers and Internet. By default, all incoming traffic to
-the guest networks is blocked and all outgoing traffic from guest
-networks is allowed, once you add an ACL rule for outgoing traffic, then
-only outgoing traffic specified in this ACL rule is allowed, the rest is
-blocked. To open the ports, you must create a new network ACL. The
-network ACLs can be created for the tiers only if the NetworkACL service
-is supported.
+.. note::
+Network Access Control Lists can only be created if the service
+"NetworkACL" is supported by the created VPC.
+Define a Network Access Control List (ACL) to control incoming
+(ingress) and outgoing (egress) traffic between the associated tier
+and external networks (other tiers of the VPC as well as public networks).
About Network ACL Lists
^^^^^^^^^^^^^^^^^^^^^^^
-In CloudStack terminology, Network ACL is a group of Network ACL items.
-Network ACL items are nothing but numbered rules that are evaluated in
-order, starting with the lowest numbered rule. These rules determine
-whether traffic is allowed in or out of any tier associated with the
-network ACL. You need to add the Network ACL items to the Network ACL,
-then associate the Network ACL with a tier. Network ACL is associated
-with a VPC and can be assigned to multiple VPC tiers within a VPC. A
-Tier is associated with a Network ACL at all the times. Each tier can be
-associated with only one ACL.
-
-The default Network ACL is used when no ACL is associated. Default
-behavior is all the incoming traffic is blocked and outgoing traffic is
-allowed from the tiers. Default network ACL cannot be removed or
-modified. Contents of the default Network ACL is:
+In CloudStack terminology, a Network ACL is a group of Network ACL rules.
+Network ACL rules are processed by their order, starting with the lowest
+numbered rule. Each rule defines at least an affected protocol, traffic type,
+action and afected destination / source network. The following table shows a
+exemplary content of a "default_deny" ACL.
.. cssclass:: table-striped table-bordered table-hover
@@ -328,6 +316,29 @@ Rule Protocol Traffic type Action CIDR
2 All Egress Deny 0.0.0.0/0
===== ======== ============ ====== =========
+Each Network ACL is associated with a VPC and can be assigned
+to multiple VPC tiers. Every tier needs to be associated with a
+Network ACL. Only one ACL can be associated with a tier at a time. If no
+custome network ACL is availeable at the time of tier creation, a default
+Network ACL has to be used instead. Curretly two default ACL are
+available. The "default_allow" ACL allows in- and egress traffic while
+the "default_deny" blocks all in- and egress traffic. Default network
+ACL cannot be removed or modified. Newly created ACLs, while showing
+empty, deny all incoming traffic to the associated tier and allow all
+outgoing traffic. To change the defaults add a "deny all egress
+destination" and / or "allow all ingress source" rule to the ACL.
+Afterwards traffic can be white- or blacklisted.
+
+.. note::
+- ACL Rules in Cloudstack are stateful
+- Source / Destination CIDRs are always external networks
+- ACL rules can also beeen seen on the virtual router of the VPC. Ingress
+ rules are listed in the table iptables table "filter" while egress rules
+ are placed in the "mangle" table
+- ACL rules for ingress and egress are not correlating. For example a
+ egress "deny all" won't affect traffic in response to an allowed ingress
+ connection
+
Creating ACL Lists
^^^^^^^^^^^^^^^^^^