You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: pages/vpc/reference-content/understanding-routing.mdx
+3-7Lines changed: 3 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -77,8 +77,8 @@ For example, you may use one Private Network for frontend resources and another
77
77
78
78
From TODO DATE, new routing behavior is available for VPCs.
79
79
80
-
- This routing behavior will be applied automatically to VPCs created after TODO DATE, or where routing is only activated after this date.
81
-
- Pre-existing VPCs must be [updated](/vpc/how-to/manage-routing/#how-to-update-routing-behavior) to accept this new behavior
80
+
- This routing behavior will be applied automatically to VPCs created after TODO DATE, or to pre-existing VPCs that only activate routing after this date.
81
+
- Pre-existing VPCs already using routing must be [updated](/vpc/how-to/manage-routing/#how-to-update-routing-behavior) to accept this new behavior
82
82
83
83
|| Old behavior | New behavior |
84
84
|---|---|---|
@@ -148,16 +148,12 @@ You want to prevent resources attached to `backend-net` and `frontend-net` from
148
148
149
149
#### Solution 1: NACL allow
150
150
151
-
You could create two NACL rules to **Deny** traffic first from `10.0.0.0/24` (`backend-net`) and then from `10.0.0.1/24` (`frontend-net`) towards destination `10.0.2.42/32` (`vpn-gateway-host`). When combined with a default NACL rule to **Allow** all other traffic, this would effectively block resources on `backend-net`.
151
+
You could create two NACL rules to **Deny** traffic first from `10.0.0.0/24` (`backend-net`) and then from `10.0.0.1/24` (`frontend-net`) towards destination `10.0.2.42/32` (`vpn-gateway-host`). When combined with a default NACL rule to **Allow** all other traffic, this would effectively block resources on `backend-net` and `frontend-net` from accessing `vpn-gateway-host`.
152
152
153
153
#### Solution 2: NACL deny
154
154
155
155
Alternatively, and aligned with best practice, when the default NACL rule **Denies** all traffic not matched to a specific rule, `backend-net` and `frontend-net` will already be blocked from sending traffic to `vpn-gateway-host` on `monitoring-net`. Since NACLs do not filter traffic between resources attached to the same Private Network, other resources on `monitoring-net` would still be able to successfully route traffic to `vpn-gateway-host`.
156
156
157
-
#### Solution 3: Modify custom route
158
-
159
-
Another alternative is to modify the custom route so that instead of applying to **all** source traffic, it applies only to traffic from within Private Network `monitoring-net`. Change the source IP range to `10.0.2.0/24` in the custom rule.
160
-
161
157
## Limitations
162
158
163
159
- Managed Databases are not currently compatible with routing. The VPC cannot automatically route between Managed Databases on different Private Networks, or (for example) between a Managed Database on one Private Network and an Instance on a different Private Network.
0 commit comments