Hi Geoffrey, I asked a similar question a while back. You are correct - ACLs can be applied only to tiers in a VPC, and all rules apply to all *destination* IP addresses in the VPC. Of course any server without a static NAT will not receive traffic.
If you want to open only port 25 to a mail server and only port 443 to a web server, they either need to be in different tiers or you need to use firewalls on the VM end to block the unwanted ports. The design of the tiers seems intended for a traditional web app with front end web servers, an app server tier, and a DB tier. It expects tiers to be used mostly for servers with similar firewalling requirements. What would make this much easier would be to provide both source and destination options in the ACL so that traffic could be limited to a specific destination IP address in the VPC. It could even be done by providing a drop-down of existing static NATs configured at the time of the ACL edit. Coming from a network administration background I would expect to see ACLs in VPCs work like a firewall normally does - source and destination IP and port. The current model of source, port and ingress/egress with the implied destination of the entire tier is a security risk in most actual use cases where an administrator doesn't want certain ports to be exposed for all the VMs in a tier. c From: "Geoffrey Corey" <[email protected]> To: "Erik Weber" <[email protected]> Cc: [email protected] Sent: Wednesday, January 6, 2016 6:03:02 PM Subject: Re: Network ACL granularity So we have a vpc, and we are trying to carve it up. Ideally, we'd have an IP range for just "infrastructure" related vms, like MXs, LDAP, etc. We want to be able to apply an ACL specifically to the MXs whre only smtp and ssh (and possibly ping) are allowed into that VM, and similar for ldap, etc, and have th ability to select these ACLs on a per-vm basis (similar to how AWS allows this for network ACLs). Right now, from what I can tell in the UI, we'd have to carve up, so to speak, that "infrastructure" ip range into smaller networks in order to apply these service related network acls (Hope I was able to word that correctly) On Wed, Jan 6, 2016 at 2:55 PM, Erik Weber <[email protected]> wrote: > Can't answer your question, but to help out with ideas; are you mostly > looking for ingress, egress or both? > > Also, is it primarily north-south traffic you want to isolate per vm or > east-west as well? > > -- > > Erik > > > Den mandag 4. januar 2016 skrev Geoffrey Corey <[email protected]> > følgende: > >> What is the lowest granularity level that a network ACL can be applied? >> >> We would like to be able to apply a network ACL on a per-vm basis, but >> initial investigation points to only being able to apply it to a network >> tier. >> >> Also, if a network acl can be applied on a per-vm basis, how can that be >> accomplished? >> >> Thanks >> >> ---- >> Geoff Corey >> Apache Infrastructure >> >
