Comment 7 for bug 1287658

We have the start of this functionality which landed in Juju 2.3.
It only supports (so far) 3 pre-defined "well known" services
 -ssh (port 22)
 -juju-controller (client connections to controller on port 17070)
 -juju-application-offer (cross model relation consumers on port 17070)

It terms of restricting access to particular deployed services, this really falls under the open/close port functionality of a charm doesn't it? eg for haproxy, open port 10000 does currently expose to 0.0.0.0/0 so we need to look at enhancing what open-port can do to allow a CIDR to be specified. The Juju firewaller internally now does support CIDRs (with the set-firewall-rule addition) so we just need to enhance what open-port can specify.

$ juju set-firewall-rule --help
Usage: juju set-firewall-rule [options] <service-name>, --whitelist <cidr>[,<cidr>...]

Summary:
Sets a firewall rule.

Options:
-m, --model (= "")
    Model to operate in. Accepts [<controller name>:]<model name>
--whitelist (= "")
    list of subnets to whitelist

Details:
Firewall rules control ingress to a well known services
within a Juju model. A rule consists of the service name
and a whitelist of allowed ingress subnets.
The currently supported services are:
 -ssh
 -juju-controller
 -juju-application-offer

Examples:
    juju set-firewall-rule ssh --whitelist 192.168.1.0/16
    juju set-firewall-rule juju-controller --whitelist 192.168.1.0/16
    juju set-firewall-rule juju-application-offer --whitelist 192.168.1.0/16

See also:
    list-firewall-rules