VPC ACL Issue

[assistanz247]

ISSUE TYPE

• Improvement Request

COMPONENT NAME

VPC

CLOUDSTACK VERSION

Cloudstack 4.18.0.0

CONFIGURATION

VPC Network

OS / ENVIRONMENT

N/A

SUMMARY

I have allowed only port 3389 in the VPC ACL but able to access using other port which is not in allowed list.

STEPS TO REPRODUCE

Here is my scenario.

I have created a VPC then create a new ACL list name my-ACL and added the below rules.

For Egress:

ALL Egress allow

For Ingress:

CIDR: 0.0.0.0/0 Protocol: TCP From Port: 3389 To Port: 3389

Then I created two Windows VMs under this new network. Then I acquire a Public IP address and add the below port forwarding.

For VM1:

Private port: 3389 Public Port: 3389

For VM2:

Private Port: 3389 Public Port: 2812

In my scenario, I need to access only VM1 through RDP using the public IP address using the 3389 port. But, I'm able to access the VM2 with 2812 also.

But in my network ACL, I have allowed only port 3389.

EXPECTED RESULTS

Should access only the VM1 from 3389 port not VM2 from 2812 port.

ACTUAL RESULTS

I was able to access VM2 using 2812 port.

[boring-cyborg[bot]]

Thanks for opening your first issue here! Be sure to follow the issue template!

[rajujith]

@assistanz247 by the current design the network ACL in a VPC is applicable at the tier side hence the public port is not filtered by the ACL. It is allowing the traffic since the private port 3389 is allowed as per the ACL rule. In order to filter the traffic based on the public port we may have to introduce ACL for public interfaces on the VPC in addition to the VPC tier ACLs in use. Another way to handle this specific scenario would be by introducing a destination CIDR field in the ACL item where the destination VM guest IP could be configured.

[weizhouapache]

Currently network ACLs apply on VPC tiers only. it might be a change (API, UI, service layer) to support ACL on public IPs.

as I said on mailing list, Each ACL rule can have only 1 cidr, which is the source cidr for Ingress rules, and destination cidr for Egress rules. I am +1 on adding source and destination CIDRs to Network ACL items.

[kiranchavala]

This is a good improvement request to add source and destination CIDRs to Network ACL items

[RodrigoDLopez]

Hey @assistanz247 I'm working on a PR to add source CIDR on Port Forward for VPCs. Could you please take a look at PR#7081 and verify if the proposed feature covers your use case?

@weizhouapache I will take the time to respond to your requests. For the delay in answering them, I apologize.

[assistanz247]

Hi Rodrigo,

We have gone through PR#7081 and confirmed that it will resolve our issue in VPC.

Thanks a lot :-)

Regards, Loges https://www.stackbill.com

On Thu, May 18, 2023 at 7:08 PM Rodrigo D. Lopez @.***> wrote:

Hey @assistanz247 https://github.com/assistanz247 I'm working on a PR to add source CIDR on Port Forward for VPCs. Could you please take a look at PR#7081 https://github.com/apache/cloudstack/pull/7081 and verify if the proposed feature covers your use case?

@weizhouapache https://github.com/weizhouapache I will take the time to respond to your requests. For the delay in answering them, I apologize.

— Reply to this email directly, view it on GitHub https://github.com/apache/cloudstack/issues/7483#issuecomment-1553071995, or unsubscribe https://github.com/notifications/unsubscribe-auth/AG2D63UZKCXUVI4CYL35COLXGYQ5VANCNFSM6AAAAAAXQ5L5PY . You are receiving this because you were mentioned.Message ID: @.***>

--

This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions