Comment 1 for bug 1321407

This is pretty inconvenient when combined with the lack of intra-environment isolation. If you have some slightly untrustworthy services, the free-for-all security groups within an environment mean you need to have them in a separate one. But that requires that you expose some services from the trusted environment, and this bug means you then need to firewall them manually.

Something like "juju expose --to NETWORK/MASK" might work, though in my specific case I need a private API port to be restricted while a webapp port on the same service should be public.