Comment 7 for bug 1027641

As far as I am aware this is fixed: you should be able to set "firewall-mode: global" in environments.yaml to work around this limitation. It's not great -- any open port for any exposed service will be opened on all machines -- but it works around this limitation, so long as you start the environment in this mode (you can't change it in a running environment, sadly).

Service security groups play merry hell with the density story we're currently focused on, so they're not something we're considering at the moment. I think the long-term answer will be per-machine iptables rules (which will be helpful everywhere) in combination with an always-global-mode firewaller.