Hi all, I've run into some limitations in the firewall rule capabilities in the VPC side that I'm hoping could be addressed in a future release. For VPC networks, when configuring ACL for tiers you can only manage tier-wide destinations for inbound or sources for outbound.
What would it take to build in more granularity to these options? For example, in a tier with one web server and one mail server, I have to allow Inbound, from 0.0.0.0/0, on TCP 25, 80, 443 etc. This opens these ports to *all* instances in the tier, assuming they don't have their own OS-level firewalls running. Now of course only instances with Static NAT configured will pass traffic but that still permits port 25 to the web server and 80/443 to the FTP even if I don't want that. Typical firewall rule sets allow source/destination to be specified, so that we could open port 25 to the FTP server IP only, and port 80/443 to the web server only. The current rules are confusing for a new user with networking background. You have to understand that when selecting "Ingress" your specified CIDR is a *source* but when specifying "Egress" it is the destination CIDR. Thanks for the consideration, Christopher Falk Director, Technical Operations www.reliablenetworks.com
