Description of problem:

Allow deny rules on security groups.

Use case:
If customer creates, for example, a rule to allow incoming traffic to port 80, it's not possible explicitly deny traffic from a specific network, and therefore customer has to know all networks which he wants to allow traffic from, and modify the security group rules every time a new network is created.

Client wants to allow traffic by default to all networks, and create deny rules to explicitly deny traffic from some networks.

Useful as well when there is a network attack (hacking attempt, DOS) and customer wants to block the attacking IP only.


Customer is aware of FWaaS possibility, which allows creation of deny/reject rules, but as it is technology preview only, does not want to use it in production environment, therefore request for enhancement.

We have discussed as well possibility to filter traffic on the instance's side (by using for example iptables/firewalld on OS level), but this is feasible as security team can be separate from administrator's team of the instances, and therefore security team does not have access to the OS on instances.


Actual results:

Not possible to create "deny" security group rules.

Expected results:

Ability to create "allow" and/or "deny" security groups rules, to block unwonted traffic, rather then having to list all traffic which is allowed to come in.

Additional info: