Network Scope

Networking Scope

The network and subnet both have a scope property that controls access to other networks/subnets. The scope is an "immutable" set of rules that the firewall rules cannot override. The table below explains the possible various scope values.

The default scope if not defined is private-no-internet

Networking Scope Values

Scope	Behavior
public	Allows access to and from the Internet. Firewalls and default network policy can modify this access. Devices with public Internet addresses can be communicated with directly by any other Internet device.
private-with-internet	No inbound traffic is allowed from the Internet. However, outbound Internet traffic is allowed (and corresponding responses) by default. Hosts on a private-with-internet subnet can communicate with other hosts in the network by default.
private-no-internet	No inbound or outbound Internet traffic is allowed. Hosts in private-no-internet subnets can communicate with hosts in the network by default.
isolated	No traffic is allowed to enter or leave the network or subnet declared isolated.

If a compute.nic has a public interface, the subnet it is connected to must also be declared public. The firewall rules and network default policy must also allow traffic to pass.

If a subnet is declared public, the corresponding network must also be public. A private-with-internet subnet must be on a network that is either public, or private-with-internet.

When a network or subnet is referred to as public , it simply means that it has scope: public. Similarly, an isolated network or subnet has a scope: isolated. Because the default scope is private-no-internet, there is no need to define the scope for a private-no-internet network or subnet definition -- it is implied if the property is not called out, but it is harmless to include the property definition.