Thanks Christopher for the feedback. Just wanted to confirm I wasn't missing an option somewhere. :-) On Jan 6, 2016 6:50 PM, "Christopher Falk" < [email protected]> wrote:
> Hi Geoffrey, > > I asked a similar question a while back. You are correct - ACLs can be > applied only to tiers in a VPC, and all rules apply to all *destination* IP > addresses in the VPC. Of course any server without a static NAT will not > receive traffic. > > If you want to open only port 25 to a mail server and only port 443 to a > web server, they either need to be in different tiers or you need to use > firewalls on the VM end to block the unwanted ports. > > The design of the tiers seems intended for a traditional web app with > front end web servers, an app server tier, and a DB tier. It expects tiers > to be used mostly for servers with similar firewalling requirements. > > What would make this much easier would be to provide both source and > destination options in the ACL so that traffic could be limited to a > specific destination IP address in the VPC. It could even be done by > providing a drop-down of existing static NATs configured at the time of the > ACL edit. > > Coming from a network administration background I would expect to see ACLs > in VPCs work like a firewall normally does - source and destination IP and > port. The current model of source, port and ingress/egress with the implied > destination of the entire tier is a security risk in most actual use cases > where an administrator doesn't want certain ports to be exposed for all the > VMs in a tier. > > c > > ------------------------------ > *From: *"Geoffrey Corey" <[email protected]> > *To: *"Erik Weber" <[email protected]> > *Cc: *[email protected] > *Sent: *Wednesday, January 6, 2016 6:03:02 PM > *Subject: *Re: Network ACL granularity > > So we have a vpc, and we are trying to carve it up. > > Ideally, we'd have an IP range for just "infrastructure" related vms, like > MXs, LDAP, etc. We want to be able to apply an ACL specifically to the MXs > whre only smtp and ssh (and possibly ping) are allowed into that VM, and > similar for ldap, etc, and have th ability to select these ACLs on a per-vm > basis (similar to how AWS allows this for network ACLs). > > Right now, from what I can tell in the UI, we'd have to carve up, so to > speak, that "infrastructure" ip range into smaller networks in order to > apply these service related network acls > > (Hope I was able to word that correctly) > > On Wed, Jan 6, 2016 at 2:55 PM, Erik Weber <[email protected]> wrote: > > > Can't answer your question, but to help out with ideas; are you mostly > > looking for ingress, egress or both? > > > > Also, is it primarily north-south traffic you want to isolate per vm or > > east-west as well? > > > > -- > > > > Erik > > > > > > Den mandag 4. januar 2016 skrev Geoffrey Corey <[email protected]> > > følgende: > > > >> What is the lowest granularity level that a network ACL can be applied? > >> > >> We would like to be able to apply a network ACL on a per-vm basis, but > >> initial investigation points to only being able to apply it to a network > >> tier. > >> > >> Also, if a network acl can be applied on a per-vm basis, how can that be > >> accomplished? > >> > >> Thanks > >> > >> ---- > >> Geoff Corey > >> Apache Infrastructure > >> > > >
