I found a solution and tested it.

- I created a VM as an SSH Tunnel Server.
- Added a single Egress with tunnel_server_IP/32 as CIDR allowing outgoing
traffic to ONLY go through this proxy.
- Now the VM behind this special SG, is only able to connect to tunnel
server. I installed and ran sshuttle to route all outgoing connections. Now
I can block any CIDR and control outgoing connections from tunnel side.


On Fri, Nov 8, 2019 at 12:19 PM Andrija Panic <andrija.panic@gmail.com>
wrote:

> since you can't add Deny rules with SGs, I find it hard to do what
> you want...
>
> On Thu, 7 Nov 2019, 22:27 Fariborz Navidan, <mdvlinquest@gmail.com> wrote:
>
> > Any idea?
> >
> > On Thu, Nov 7, 2019 at 10:22 PM Fariborz Navidan <mdvlinquest@gmail.com>
> > wrote:
> >
> > > In this way it works just vice versa. I add an egress rule with a
> > specific
> > > CIDR and it only allows outbound traffic to that network. I want to do
> > the
> > > reverse. Allow all outbound traffic but not this CIDR.
> > >
> > > On Thu, Nov 7, 2019 at 9:41 PM Andrija Panic <andrija.panic@gmail.com>
> > > wrote:
> > >
> > >>
> > >>
> >
> http://docs.cloudstack.apache.org/en/latest/adminguide/networking/security_groups.html#enabling-security-groups
> > >>
> > >>
> > >> It says' it all. Once you add a first EGRESS rule to the existing SG,
> > the
> > >> only that rules applies (it stopss to allow all EGRESS traffix, that
> it
> > >> does when there are no explicit EGRESS rules).
> > >>
> > >>
> > >> On Thu, 7 Nov 2019 at 16:46, Fariborz Navidan <mdvlinquest@gmail.com>
> > >> wrote:
> > >>
> > >> > Hello,
> > >> >
> > >> > I have a shared network with default egress policy to be allowed.
> How
> > >> can I
> > >> > block traffic to specific outbound CIDR originating from this VM?
> > >> >
> > >>
> > >>
> > >> --
> > >>
> > >> Andrija Panić
> > >>
> > >
> >
>