Open ports cannot be restricted to an IP or domain

Bug #1321407 reported by Nate Finch on 2014-05-20
This bug affects 5 people
Affects Status Importance Assigned to Milestone

Bug Description

Right now, if you open a port on a node to the outside network, it's open to the entire network - there's no way to just expose it to a limited audience.

Reported here:

Nate Finch (natefinch) on 2014-05-20
tags: added: security
Joey Stanford (joey) on 2014-05-20
tags: added: production
Curtis Hovey (sinzui) on 2014-05-20
Changed in juju-core:
status: New → Triaged
importance: Undecided → Medium
William Grant (wgrant) wrote :

This is pretty inconvenient when combined with the lack of intra-environment isolation. If you have some slightly untrustworthy services, the free-for-all security groups within an environment mean you need to have them in a separate one. But that requires that you expose some services from the trusted environment, and this bug means you then need to firewall them manually.

Something like "juju expose --to NETWORK/MASK" might work, though in my specific case I need a private API port to be restricted while a webapp port on the same service should be public.

Anastasia (anastasia-macmood) wrote :

Re-targeting for Juju 2.

Changed in juju:
status: New → Triaged
importance: Undecided → Wishlist
Changed in juju-core:
status: Triaged → Won't Fix
Changed in juju:
milestone: none → 2.8-beta1
Ian Booth (wallyworld) on 2020-04-02
Changed in juju:
milestone: 2.8-beta1 → 2.9-beta1
Changed in juju:
milestone: 2.9-beta1 → 2.9-rc1
Ian Booth (wallyworld) wrote :

The work to enable ports to be exposed to a CIDR range or a network space landed in 2.9

no longer affects: juju-core
Changed in juju:
status: Triaged → Fix Committed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers