weizhouapache commented on a change in pull request #247:
URL:
https://github.com/apache/cloudstack-documentation/pull/247#discussion_r725897877
##########
File path: source/adminguide/networking/virtual_private_cloud_config.rst
##########
@@ -328,6 +316,29 @@ Rule Protocol Traffic type Action CIDR
2 All Egress Deny 0.0.0.0/0
===== ======== ============ ====== =========
+Each Network ACL is associated with a VPC and can be assigned
+to multiple VPC tiers. Every tier needs to be associated with a
+Network ACL. Only one ACL can be associated with a tier at a time. If no
+custome network ACL is availeable at the time of tier creation, adefault
+Network ACL has to be used instead. Curretly two default ACL are
+availeable. The "default_allow" ACL allows in- and egress traffic while
+the "default_deny" blocks all in- and egress traffic. Default network
+ACL cannot be removed or modified. Newly created ACLs, while showing
+empty, deny all incoming traffic to the associated tier and allow all
+outgoing traffic. To change the defaults add a "deny all egress
+destination" and / or "allow all ingress source" rule to the ACL.
+Afterwards traffic can be white- or blacklisted.
+
+.. note::
+- ACL Rules in Cloudstack are stateful
+- Source / Destination CIDRs are always external networks
+- ACL rules can also beeen seen on the virtual router of the VPC. Ingress
+ rules are listed in the table iptables table "filter" while egress rules
+ are placed in the "mangle" table
+- ACL rules for ingress and egress are not correlating. For exampel a
Review comment:
typo: example
##########
File path: source/adminguide/networking/virtual_private_cloud_config.rst
##########
@@ -290,34 +290,22 @@ other tiers within the VPC.
Configuring Network Access Control List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Define Network Access Control List (ACL) on the VPC virtual router to
-control incoming (ingress) and outgoing (egress) traffic between the VPC
-tiers, and the tiers and Internet. By default, all incoming traffic to
-the guest networks is blocked and all outgoing traffic from guest
-networks is allowed, once you add an ACL rule for outgoing traffic, then
-only outgoing traffic specified in this ACL rule is allowed, the rest is
-blocked. To open the ports, you must create a new network ACL. The
-network ACLs can be created for the tiers only if the NetworkACL service
-is supported.
+.. note::
+Network Access Control Lists can only be created if the service
+"NetworkACL" is supported by the created VPC.
+Define a Network Access Control List (ACL) to control incoming
+(ingress) and outgoing (egress) traffic between the associated tier
+and external networks (other tiers of the VPC as well as public networks).
About Network ACL Lists
^^^^^^^^^^^^^^^^^^^^^^^
-In CloudStack terminology, Network ACL is a group of Network ACL items.
-Network ACL items are nothing but numbered rules that are evaluated in
-order, starting with the lowest numbered rule. These rules determine
-whether traffic is allowed in or out of any tier associated with the
-network ACL. You need to add the Network ACL items to the Network ACL,
-then associate the Network ACL with a tier. Network ACL is associated
-with a VPC and can be assigned to multiple VPC tiers within a VPC. A
-Tier is associated with a Network ACL at all the times. Each tier can be
-associated with only one ACL.
-
-The default Network ACL is used when no ACL is associated. Default
-behavior is all the incoming traffic is blocked and outgoing traffic is
-allowed from the tiers. Default network ACL cannot be removed or
-modified. Contents of the default Network ACL is:
+In CloudStack terminology, a Network ACL is a group of Network ACL rules.
+Network ACL rules are processed by theire order, starting with the lowest
+numbered rule. Each rule defines at least a affected protocol, traffic type,
Review comment:
a -> an
##########
File path: source/adminguide/networking/virtual_private_cloud_config.rst
##########
@@ -328,6 +316,29 @@ Rule Protocol Traffic type Action CIDR
2 All Egress Deny 0.0.0.0/0
===== ======== ============ ====== =========
+Each Network ACL is associated with a VPC and can be assigned
+to multiple VPC tiers. Every tier needs to be associated with a
+Network ACL. Only one ACL can be associated with a tier at a time. If no
+custome network ACL is availeable at the time of tier creation, adefault
Review comment:
adefault -> a default
##########
File path: source/adminguide/networking/virtual_private_cloud_config.rst
##########
@@ -290,34 +290,22 @@ other tiers within the VPC.
Configuring Network Access Control List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Define Network Access Control List (ACL) on the VPC virtual router to
-control incoming (ingress) and outgoing (egress) traffic between the VPC
-tiers, and the tiers and Internet. By default, all incoming traffic to
-the guest networks is blocked and all outgoing traffic from guest
-networks is allowed, once you add an ACL rule for outgoing traffic, then
-only outgoing traffic specified in this ACL rule is allowed, the rest is
-blocked. To open the ports, you must create a new network ACL. The
-network ACLs can be created for the tiers only if the NetworkACL service
-is supported.
+.. note::
+Network Access Control Lists can only be created if the service
+"NetworkACL" is supported by the created VPC.
+Define a Network Access Control List (ACL) to control incoming
+(ingress) and outgoing (egress) traffic between the associated tier
+and external networks (other tiers of the VPC as well as public networks).
About Network ACL Lists
^^^^^^^^^^^^^^^^^^^^^^^
-In CloudStack terminology, Network ACL is a group of Network ACL items.
-Network ACL items are nothing but numbered rules that are evaluated in
-order, starting with the lowest numbered rule. These rules determine
-whether traffic is allowed in or out of any tier associated with the
-network ACL. You need to add the Network ACL items to the Network ACL,
-then associate the Network ACL with a tier. Network ACL is associated
-with a VPC and can be assigned to multiple VPC tiers within a VPC. A
-Tier is associated with a Network ACL at all the times. Each tier can be
-associated with only one ACL.
-
-The default Network ACL is used when no ACL is associated. Default
-behavior is all the incoming traffic is blocked and outgoing traffic is
-allowed from the tiers. Default network ACL cannot be removed or
-modified. Contents of the default Network ACL is:
+In CloudStack terminology, a Network ACL is a group of Network ACL rules.
+Network ACL rules are processed by theire order, starting with the lowest
Review comment:
typo: their
##########
File path: source/adminguide/networking/virtual_private_cloud_config.rst
##########
@@ -328,6 +316,29 @@ Rule Protocol Traffic type Action CIDR
2 All Egress Deny 0.0.0.0/0
===== ======== ============ ====== =========
+Each Network ACL is associated with a VPC and can be assigned
+to multiple VPC tiers. Every tier needs to be associated with a
+Network ACL. Only one ACL can be associated with a tier at a time. If no
+custome network ACL is availeable at the time of tier creation, adefault
+Network ACL has to be used instead. Curretly two default ACL are
+availeable. The "default_allow" ACL allows in- and egress traffic while
Review comment:
availeable -> available
##########
File path: source/adminguide/networking/virtual_private_cloud_config.rst
##########
@@ -328,6 +316,29 @@ Rule Protocol Traffic type Action CIDR
2 All Egress Deny 0.0.0.0/0
===== ======== ============ ====== =========
+Each Network ACL is associated with a VPC and can be assigned
+to multiple VPC tiers. Every tier needs to be associated with a
+Network ACL. Only one ACL can be associated with a tier at a time. If no
+custome network ACL is availeable at the time of tier creation, adefault
+Network ACL has to be used instead. Curretly two default ACL are
+availeable. The "default_allow" ACL allows in- and egress traffic while
+the "default_deny" blocks all in- and egress traffic. Default network
+ACL cannot be removed or modified. Newly created ACLs, while showing
+empty, deny all incoming traffic to the associated tier and allow all
Review comment:
sounds good.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
