Comment 5 for bug 1287658

To explain why we think this is important for Canonical IS: we need source-address-based access control for certain services. Examples of this are:

- public web sites fronted by haproxy: haproxy needs to expose port 80/443 to the world, but port 10000 (haproxy stats interface) should only be exposed to the administrators and/or developers

- ssh access for administrators/developers: we usually want to lock this down to VPN users only

- Nagios checks: only our Nagios server(s) should be allowed to run checks against the Nagios agent.

In order to do this at present, we manually edit the secgroup rules, but this causes problems in situations when juju itself resets secgroups, such as those encountered in bugs #1420996 #1449044 #1555969.

I would consider this functionality to be around medium priority. We shouldn't have to come along fixing firewall rules after juju has created them. Even adding the ability to specify a single CIDR to a juju expose would be a huge step forward.