Error "protocol must be 'tcp', 'udp', 'icmp', 'icmpv6' or 'all'" when attempting to clear rules from an Application Security Group (ASG)
search cancel

Error "protocol must be 'tcp', 'udp', 'icmp', 'icmpv6' or 'all'" when attempting to clear rules from an Application Security Group (ASG)

book

Article ID: 431557

calendar_today

Updated On:

Products

VMware Tanzu Platform - Cloud Foundry

Issue/Introduction

In an existing Cloud Foundry application deployment, administrators may want to clear all existing firewall rules from an Application Security Group (ASG) without unbinding and deleting the ASG itself.

For example, an ASG named ASG is configured with the following rules:

$ cf security-group ASG
Getting info for security group ASG as admin...

name:    ASG
rules:   
[
  {
    "protocol": "icmp",
    "destination": "0.0.0.0/0",
    "type": 0,
    "code": 0
  }
]

To remove the rules, an administrator might attempt to pass a JSON file containing an empty rule object ([{}]):

$ cat asg.json 
[
 {
 }
]

However, running the update command with this file fails with the following validation error:

$ cf update-security-group ASG asg.json 
Updating security group ASG as admin...

Rules[0]: protocol must be 'tcp', 'udp', 'icmp', 'icmpv6' or 'all'
FAILED

Environment

Tanzu Platform for Cloud Foundry v6.x or v10.x

Cause

The Cloud Foundry API and CLI strict validation requires that any rule object passed within the JSON array must be fully defined and valid. By passing [{}], the CLI interprets this as a request to create a new rule, but it fails validation because the mandatory protocol parameter (along with destination and ports) is missing.

Ultimately, Cloud Foundry does not support updating or creating an ASG with absolutely no rules inside it to serve as a persistent, empty placeholder.

Resolution

Because it is not possible to update or create an ASG with an empty rule set, the only supported way to completely remove the rules applied by an ASG is to unbind it from its associated spaces or lifecycle phases, and then delete it from the foundation.

Step 1: Unbind the ASG Depending on where the ASG is bound, you will need to unbind it from staging, running, or specific spaces.

# Example: Unbinding from the staging phase globally
$ cf unbind-staging-security-group ASG

# Example: Unbinding from the running phase globally
$ cf unbind-running-security-group ASG

(Note: Use cf unbind-security-group ASG ORG SPACE if it is bound to a specific space).

Step 2: Delete the ASG Once safely unbound, delete the ASG from the system.

$ cf delete-security-group ASG

 

Additional Information

 

Default Deny Posture: Cloud Foundry application containers operate on a "default deny" networking posture for outbound traffic. If you completely unbind and delete an ASG, any outbound traffic that relied on those rules will be instantly blocked. Ensure that applications have other ASGs bound to them if they require outbound network access.

Reviewing Bindings: Before deleting an ASG, it is highly recommended to check where it is currently bound to avoid unintended application downtime.

 

Powered by Wolken Software