cloudstack icon indicating copy to clipboard operation
cloudstack copied to clipboard
verified publisher icon apache

Support firewall rules on Public IP in VPC

Open btzq opened this issue 1 year ago • 6 comments

ISSUE TYPE
  • Improvement Request
COMPONENT NAME
Improvement Request (UI, Functionality)
CLOUDSTACK VERSION
4.19
CONFIGURATION

N/A

OS / ENVIRONMENT

N/A

SUMMARY

Note: This ticket is broken down as requested from the origianl post, https://github.com/apache/cloudstack/issues/8841

Support ACL on Public IP

  • According to Terraform docs, it seems that this is possible: https://registry.terraform.io/providers/cloudstack/cloudstack/latest/docs/resources/firewall
  • However, i cant seem to find this in the GUI. So in case this is not available in the GUI, would like to request to make this available.
STEPS TO REPRODUCE

N/A

N/A
EXPECTED RESULTS
To be able to manage ACL Rules more easily for large scale projects
ACTUAL RESULTS
Challenging to use ACL rules for large scale projects.

btzq avatar Apr 01 '24 15:04 btzq

@btzq , if we implement #8864 , the firewall functionality will be supported by virtue of the private IPs. The user facing functionality will be somewhat different but the security features will be the same. A user wanting to set access lists into a VPC will have to know about its topology anyway. What do you think?

DaanHoogland avatar Apr 11 '24 09:04 DaanHoogland

@DaanHoogland when you mean topopology, do you mean that the users will need to know the existance of a the Virtual Router?

btzq avatar Apr 12 '24 02:04 btzq

@DaanHoogland when you mean topopology, do you mean that the users will need to know the existance of a the Virtual Router?

yes, but mostly the mapping of private IPs to static NAT Ips and individual services mapped from other IPs to the backends. bad example: public 10.10.10.10 - source NAT public 10.10.10.11 - static NAT to private 10.11.12.10 public 10.10.10.12 - port 80 loadbalanced over 10.11.13.10 and 10.11.13.11 etc.

DaanHoogland avatar Apr 12 '24 08:04 DaanHoogland

Hmm this is my opinion but i think part of the beauty of having cloud is that the customer does not need to know the topology of the underlying cloud service/infra. If the customer needs to learnt he existance of a router, it might complicate things for them and deter them from using the service.

btzq avatar Apr 12 '24 08:04 btzq

Not sure if this is the correct place to ask or not, but with my current issue of locking down a Load Balancer in a VPC network. I've ran into issues where the VPC network ACL doesn't work for a Load Balancer and I'm not sure what the expected behavior should be?

If I create or update source CIDR of the LB rule it will restrict based on the source CIDR, however nothing in the VPC ACL will actually restrict access to my LB

This is completely different behavior when it's a non-VPC. A non-VPC network will actually use the firewall correctly to restrict the access.

I believe the Load Balancer source CIDR itself should be the first line of defense and if it is set to (0.0.0.0/0 - default), then the firewall ( non-vpc ) or ACL ( VPC ) should be the next line of defense.

Any help in the direction this should go would be much appreciated.

I'm needing this to work for the cloudstack-kubernetes-provider so it can set the LB source CIDR on creation, as the creation of the ACL's are not working and just leaves things wide open based on the default source CIDR of the LB being open by default. @Pearl1594 It appears you last worked on this, and hopefully you can be of some help here.

CodeBleu avatar Jun 06 '25 22:06 CodeBleu

Not sure if this is the correct place to ask or not, but with my current issue of locking down a Load Balancer in a VPC network. I've ran into issues where the VPC network ACL doesn't work for a Load Balancer and I'm not sure what the expected behavior should be?

If I create or update source CIDR of the LB rule it will restrict based on the source CIDR, however nothing in the VPC ACL will actually restrict access to my LB

This is completely different behavior when it's a non-VPC. A non-VPC network will actually use the firewall correctly to restrict the access.

@CodeBleu you are right. It is a known issue that network acl does not apply on LB in VPC https://github.com/apache/cloudstack/discussions/10507

I believe the Load Balancer source CIDR itself should be the first line of defense and if it is set to (0.0.0.0/0 - default), then the firewall ( non-vpc ) or ACL ( VPC ) should be the next line of defense.

unfortunately, source CIDRs and network ACLs are configured inside VR differently. there is not iptables rules for the source CIDRs of LB, there are no haproxy configuration for network ACL either you can refer to https://github.com/apache/cloudstack/pull/6460

Any help in the direction this should go would be much appreciated.

I'm needing this to work for the cloudstack-kubernetes-provider so it can set the LB source CIDR on creation, as the creation of the ACL's are not working and just leaves things wide open based on the default source CIDR of the LB being open by default. @Pearl1594 It appears you last worked on this, and hopefully you can be of some help here.

I'd like to see firewall rules support on Public IPs in VPC, similar to Public IPs in isolated networks. however, for now you have to configure source CIDR for the LB

weizhouapache avatar Jun 07 '25 07:06 weizhouapache