Comment 10 for bug 1793029

[analysis of what happens]

The issue which is reported as a security bug is about the latter ipset.
This is broken down into two cases:
- (a) ingress security group rule for vm1
- (b) ingress security group rule for VMs other than vm1

For (a), this is questionable.
The concept of the allowed-address-pair is to allow IP addresses from a specified range for a port (which affects "egress" check).
However it is not expected to affect "ingress" check. (<-- problem 1)

For (b), this is an expected behavior. vm1 port can use any IP address and "default" security group declares to accept all ingress traffic from the "default" security group members.
Even though this is an expected behavior, it is still a bit surprising to users. I believe most users do not imagine security groups of vm2-vm4 (servers other than vm1) will be full open. (<-- problem 2)