Re: "I found I only needed to make the VNET_CLOUDIP=... change"
That's what I originally found, but then when I tried to reproduce the fix I also needed to tweak the FORWARD rule to connect from CLC to instance. I guess I got something wrong.
Dan, can we set VNET_CLOUDIP on the CC in all cases, or should it only be set if the CLC is separate ?
IIUC it needs to be run only once (from anywhere) for the security group you want to use ("default" being the default one). You probably need to be admin to modify the "default" one.