Comment 5 for bug 1793029

Slawek, I'm not 100% sure as those are the one and the same in this environment. You might be right and it impacted all instances using the default security group.

However, the add allowed-address-pairs didn't add the iptables rule, it already existed. This rule:

905K 55M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set NIPv44046d62c-59c8-4fd0-a547- src

I believe comes from the default security group, and the ipset contains a list of all instance ip's on the network and is what allows instances to talk to each other by default (so traffic sourced from any instance on the same network is allowed).

The add allowed-address-pairs added 0.0.0.0/1 and 128.0.0.0/1 to the ipset, thereby putting a default allow from anywhere in place, and bypassing any security groups.

At least, I'm pretty sure that's what happened. We do have a staging environment and can test anything out. =)