Any idea? On Sat, Nov 2, 2019 at 5:22 PM Fariborz Navidan wrote: > Thanks for reply. How should we block a egress CIDR from specific source > CIDR when default egress policy of the network offering is "Allow"? What > will be behavior of Egress rules in a SG on the network? > > On Sat, Nov 2, 2019 at 12:09 AM Andrija Panic > wrote: > >> By the definition, with Shared Networks, VR is providing **ONLY** >> DNS/DHCP/USER-DATA services to VMs in the shared network - i.e. traffic >> NEVER passes through the VR (your VR and all your user VMs have an IP on >> that shared network - they are just "peers" so to speak, VR is not a >> router, it's just a dhcp/dns server). >> >> If you are using Security Groups on that shared network, then you can >> achieve what you want via SG, otherwise, your VMs are using (as you >> stated) >> external gateway, which you don't control. >> >> If you are NOT using SG, but are brave enough and have awesome automation >> skills - you can try to do traffic limiting on the hypervisor hosts (which >> is exactly what SG do - SG is just a collection of iptables/ebtables rules >> on hypervisors) >> Though I would not advise doing so...^^^ >> >> Best, >> Andrija >> >> On Fri, 1 Nov 2019 at 21:21, Fariborz Navidan >> wrote: >> >> > Yes, it is a shared network with external gateway. Indeed hosts are >> > connected to a vRack on OVH network. Gateway address is externally >> > addressed as last usable IP of the IP block. On CloudStack side, we >> have I >> > have configured several IP address ranges on the same shared guest >> network >> > in an advanced zone. >> > >> > What I want to do is, to block some outgoing traffic from specific >> source >> > IPs rto specific destination IP ranges. I want to know that I should >> place >> > firewall rule on theVR or on the host itself. The cloud is currently >> > running with one host but I should be able to generalize this rules for >> > further scaling when more hosts are added in future. >> > >> > Thanks >> > >> > On Fri, Nov 1, 2019 at 10:30 PM Andrija Panic >> > wrote: >> > >> > > Can you explain your setup a bit more - I'm not clear with "gateway >> > address >> > > of my guest network is not inside the cloud and it is >> > > not under my management" - is this a shared network, using some >> external >> > > gateway (which is a normal setup for Shared network)? >> > > >> > > On Fri, 1 Nov 2019 at 16:21, Fariborz Navidan >> > > wrote: >> > > >> > > > Hello, >> > > > >> > > > The gateway address of my guest network is not inside the cloud and >> it >> > is >> > > > not under my management. My question is that does guest traffic >> still >> > > touch >> > > > the virtual router and can I place custom firewall rules between >> guests >> > > and >> > > > outside network on VR? >> > > > >> > > >> > > >> > > -- >> > > >> > > Andrija Panić >> > > >> > >> >> >> -- >> >> Andrija Panić >> >