We have the start of this functionality which landed in Juju 2.3.
It only supports (so far) 3 pre-defined "well known" services
-ssh (port 22)
-juju-controller (client connections to controller on port 17070)
-juju-application-offer (cross model relation consumers on port 17070)
It terms of restricting access to particular deployed services, this really falls under the open/close port functionality of a charm doesn't it? eg for haproxy, open port 10000 does currently expose to 0.0.0.0/0 so we need to look at enhancing what open-port can do to allow a CIDR to be specified. The Juju firewaller internally now does support CIDRs (with the set-firewall-rule addition) so we just need to enhance what open-port can specify.
Options:
-m, --model (= "")
Model to operate in. Accepts [<controller name>:]<model name>
--whitelist (= "")
list of subnets to whitelist
Details:
Firewall rules control ingress to a well known services
within a Juju model. A rule consists of the service name
and a whitelist of allowed ingress subnets.
The currently supported services are:
-ssh
-juju-controller
-juju-application-offer
We have the start of this functionality which landed in Juju 2.3. application- offer (cross model relation consumers on port 17070)
It only supports (so far) 3 pre-defined "well known" services
-ssh (port 22)
-juju-controller (client connections to controller on port 17070)
-juju-
It terms of restricting access to particular deployed services, this really falls under the open/close port functionality of a charm doesn't it? eg for haproxy, open port 10000 does currently expose to 0.0.0.0/0 so we need to look at enhancing what open-port can do to allow a CIDR to be specified. The Juju firewaller internally now does support CIDRs (with the set-firewall-rule addition) so we just need to enhance what open-port can specify.
$ juju set-firewall-rule --help
Usage: juju set-firewall-rule [options] <service-name>, --whitelist <cidr>[,<cidr>...]
Summary:
Sets a firewall rule.
Options:
-m, --model (= "")
Model to operate in. Accepts [<controller name>:]<model name>
--whitelist (= "")
list of subnets to whitelist
Details: application- offer
Firewall rules control ingress to a well known services
within a Juju model. A rule consists of the service name
and a whitelist of allowed ingress subnets.
The currently supported services are:
-ssh
-juju-controller
-juju-
Examples: n-offer --whitelist 192.168.1.0/16
juju set-firewall-rule ssh --whitelist 192.168.1.0/16
juju set-firewall-rule juju-controller --whitelist 192.168.1.0/16
juju set-firewall-rule juju-applicatio
See also: firewall- rules
list-