Security group allows public access despite restricting to specific subnet

Could you paste the commands you used, to exactly reproduce the issue ?

Here is an example. My project vlan is 10.4.57.0/24

|=> euca-authorize -P tcp -s 10.4.57.0/24 -p 22 myservers

|=> euca-describe-groups-2.7
GROUP ashusb ashusb-vpn Group for vpn
PERMISSION ashusb ashusb-vpn ALLOWS udp 1194 1194 FROM CIDR 0.0.0.0/0
PERMISSION ashusb ashusb-vpn ALLOWS icmp -1 -1 FROM CIDR 0.0.0.0/0
GROUP ashusb default default
GROUP ashusb myservers test
PERMISSION ashusb myservers ALLOWS tcp 80 80 FROM CIDR 0.0.0.0/0
PERMISSION ashusb myservers ALLOWS tcp 8080 8080 FROM CIDR 0.0.0.0/0
PERMISSION ashusb myservers ALLOWS tcp 22 22 FROM CIDR 10.4.57.0/24

|=> euca-run-instances ami-000000bd -k as282d -g myservers

|=> euca-allocate-address-2.7
ADDRESS 12.208.178.202

|=> euca-associate-address-2.7 12.208.178.202 -i i-00004f4f
ADDRESS 12.208.178.202 i-00004f4f

After I associate a public IP, then I am able to ssh thru the public IP from a public terminal, even though the security group only specifies IPs in the project VLAN. If I were to specify a different project vlan, say 10.4.45.0/24, then port 22 is blocked as expected from public internet.

I'm curious if there is a messed up setting on the network host. It appears that incoming traffic looks like it is coming from the network host instead of the public address. Is it possible that you have masquerading turned on in the network host?

also can you verify if you are running with more than one nova-network and if nova-network is running on the same host as nova-compute or a different host.

We cannot solve the issue you reported without more information. Could you please provide the requested information ?

This bug lacks the necessary information to effectively reproduce and fix it, therefore it has been closed. Feel free to reopen the bug by providing the requested information and set the bug status back to ''New''.