VMware is aware of this issue and being considered for inclusion in a future release. See the Workaround section below for additional information.
Workaround:
Use on-demand security groups instead of isolation network. See the blueprint YAML below:
formatVersion: 1
inputs: {}
resources:
Deny_Inbound_Outbound:
type: Cloud.SecurityGroup
properties:
securityGroupType: new
rules:
- access: Deny
source: ANY
direction: inbound
name: DenyOutboundFlows
- access: Deny
destination: ANY
direction: outbound
name: DenyInboundFlows
Allow_Infra_Traffic:
type: Cloud.SecurityGroup
properties:
securityGroupType: new
rules:
- access: Allow
source: ${resource.Deny_Inbound_Outbound.id}
direction: inbound
name: InboundInternalFlows
- access: Allow
destination: ${resource.Deny_Inbound_Outbound.id}
direction: outbound
name: OutboundInternalFlows
Cloud_Network_1:
type: Cloud.Network
properties:
networkType: existing
Cloud_Machine_1:
type: Cloud.Machine
properties:
count: 2
image: ubuntu
flavor: small
networks:
- network: ${resource.Cloud_Network_1.id}
securityGroups:
- ${resource.Deny_Inbound_Outbound.id}
- ${resource.Allow_Infra_Traffic.id}
Note: This workaround requires 2 security groups to be created instead of 1, but because of the explicit dependencies, the rules will always be created in the predictable order.