Securing the Network
At present, the API calls for authorizing and revoking permissions are still under development. The remainder of this section outlines what you can depend on from this part of our API. The command line API tools expose only the subset of the functionality that is expected to remain unchanged.
Callers may depend on, now and in future, being able to grant permissions to
-
source address ranges (specified with CIDRs, specific protocol and ports (or ICMP type/code)).
-
source {user,group} tuples. No additional granularity, such as protocol and port (or ICMP type/code), should be expected.
-
Defining firewall rules in terms of groups is flexible enough to allow you to implement functionality equivalent to a VLAN.
-
In addition to the distributed firewall, you can maintain your own firewall on any of your instances. This may be useful if you have specific requirements not catered for by the distributed firewall.