fix explainability

np-guard · Oct 21, 2024 · a8f26d9 · a8f26d9
1 parent aaf2f5a
commit a8f26d9
Show file tree

Hide file tree

Showing 21 changed files with 136 additions and 60 deletions.
diff --git a/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain.txt b/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain.txt
@@ -3,12 +3,12 @@ Interpreted source(s): vsi1-ky[10.240.10.4]
 Interpreted destination(s): 161.26.0.0/8 (external)
 ========================================================================
 
-Connections from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16: protocol: UDP
+Connections from vsi1-ky[10.240.10.4] to Service Network 161.26.0.0/16: protocol: UDP
 
 Path:
 	vsi1-ky[10.240.10.4] -> security group sg1-ky -> network ACL acl1-ky -> subnet subnet1-ky -> 
-	PublicGateway public-gw-ky -> 
-	Public Internet 161.26.0.0/16
+	ServiceNetwork serviceNetwork -> 
+	Service Network 161.26.0.0/16
 
 ------------------------------------------------------------------------------------------------------------------------
 

diff --git a/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt
@@ -3,12 +3,12 @@ Interpreted source(s): vsi1-ky[10.240.10.4]
 Interpreted destination(s): 161.26.0.0/8 (external)
 ============================================================================
 
-Connections from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16: protocol: UDP
+Connections from vsi1-ky[10.240.10.4] to Service Network 161.26.0.0/16: protocol: UDP
 
 Path:
 	vsi1-ky[10.240.10.4] -> security group sg1-ky -> network ACL acl1-ky -> subnet subnet1-ky -> 
-	PublicGateway public-gw-ky -> 
-	Public Internet 161.26.0.0/16
+	ServiceNetwork serviceNetwork -> 
+	Service Network 161.26.0.0/16
 
 
 Details:

diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_detail.txt
@@ -3,12 +3,12 @@ Interpreted source(s): vsi1-ky[10.240.10.4]
 Interpreted destination(s): 161.26.0.0/16 (external)
 =========================================================================
 
-Connections from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16: protocol: UDP
+Connections from vsi1-ky[10.240.10.4] to Service Network 161.26.0.0/16: protocol: UDP
 
 Path:
 	vsi1-ky[10.240.10.4] -> security group sg1-ky -> network ACL acl1-ky -> subnet subnet1-ky -> 
-	PublicGateway public-gw-ky -> 
-	Public Internet 161.26.0.0/16
+	ServiceNetwork serviceNetwork -> 
+	Service Network 161.26.0.0/16
 
 
 Details:

diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_detail.txt
@@ -3,12 +3,12 @@ Interpreted source(s): vsi1-ky[10.240.10.4]
 Interpreted destination(s): 161.26.0.0/15 (external)
 =============================================================================
 
-Connections from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16: protocol: UDP
+Connections from vsi1-ky[10.240.10.4] to Service Network 161.26.0.0/16: protocol: UDP
 
 Path:
 	vsi1-ky[10.240.10.4] -> security group sg1-ky -> network ACL acl1-ky -> subnet subnet1-ky -> 
-	PublicGateway public-gw-ky -> 
-	Public Internet 161.26.0.0/16
+	ServiceNetwork serviceNetwork -> 
+	Service Network 161.26.0.0/16
 
 
 Details:

diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_detail.txt
@@ -3,13 +3,13 @@ Interpreted source(s): vsi1-ky[10.240.10.4]
 Interpreted destination(s): 161.26.0.0/16 (external)
 ===============================================================================================
 
-Connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16 using "protocol: UDP src-ports: 1-600 dst-ports: 1-50"
+Connections are allowed from vsi1-ky[10.240.10.4] to Service Network 161.26.0.0/16 using "protocol: UDP src-ports: 1-600 dst-ports: 1-50"
 (note that not all queried protocols/ports are allowed)
 
 Path:
 	vsi1-ky[10.240.10.4] -> security group sg1-ky -> network ACL acl1-ky -> subnet subnet1-ky -> 
-	PublicGateway public-gw-ky -> 
-	Public Internet 161.26.0.0/16
+	ServiceNetwork serviceNetwork -> 
+	Service Network 161.26.0.0/16
 
 
 Details:

diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_detail.txt
@@ -3,12 +3,12 @@ Interpreted source(s): vsi1-ky[10.240.10.4]
 Interpreted destination(s): 161.26.0.0/16 (external)
 ===============================================================================================
 
-Connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16 using "protocol: UDP"
+Connections are allowed from vsi1-ky[10.240.10.4] to Service Network 161.26.0.0/16 using "protocol: UDP"
 
 Path:
 	vsi1-ky[10.240.10.4] -> security group sg1-ky -> network ACL acl1-ky -> subnet subnet1-ky -> 
-	PublicGateway public-gw-ky -> 
-	Public Internet 161.26.0.0/16
+	ServiceNetwork serviceNetwork -> 
+	Service Network 161.26.0.0/16
 
 
 Details:

diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_detail.txt
@@ -3,10 +3,10 @@ Interpreted source(s): vsi1-ky[10.240.10.4]
 Interpreted destination(s): 161.26.0.0/16 (external)
 ===============================================================================================
 
-No connectivity from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16 using "protocol: TCP";
+No connectivity from vsi1-ky[10.240.10.4] to Service Network 161.26.0.0/16 using "protocol: TCP";
 	connection is blocked at egress
 
-External traffic via PublicGateway: public-gw-ky
+External traffic via ServiceNetwork: serviceNetwork
 Egress: security group sg1-ky allows connection; network ACL acl1-ky blocks connection
 
 Path:

diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_detail.txt
@@ -3,13 +3,13 @@ Interpreted source(s): vsi1-ky[10.240.10.4]
 Interpreted destination(s): 161.26.0.0/16 (external)
 =========================================================================
 
-Connections from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16: All Connections
+Connections from vsi1-ky[10.240.10.4] to Service Network 161.26.0.0/16: All Connections
 	TCP response is blocked
 
 Path:
 	vsi1-ky[10.240.10.4] -> security group sg1-ky -> network ACL acl1-ky -> subnet subnet1-ky -> 
-	PublicGateway public-gw-ky -> 
-	Public Internet 161.26.0.0/16
+	ServiceNetwork serviceNetwork -> 
+	Service Network 161.26.0.0/16
 
 
 Details:

diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_detail.txt
@@ -3,13 +3,13 @@ Interpreted source(s): vsi1-ky[10.240.10.4]
 Interpreted destination(s): 161.26.0.0/16 (external)
 ===============================================================================================
 
-Connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16 using "protocol: TCP"
+Connections are allowed from vsi1-ky[10.240.10.4] to Service Network 161.26.0.0/16 using "protocol: TCP"
 	TCP response is blocked
 
 Path:
 	vsi1-ky[10.240.10.4] -> security group sg1-ky -> network ACL acl1-ky -> subnet subnet1-ky -> 
-	PublicGateway public-gw-ky -> 
-	Public Internet 161.26.0.0/16
+	ServiceNetwork serviceNetwork -> 
+	Service Network 161.26.0.0/16
 
 
 Details:

diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_detail.txt
@@ -3,12 +3,12 @@ Interpreted source(s): vsi1-ky[10.240.10.4]
 Interpreted destination(s): 161.26.0.0/16 (external)
 ======================================================================================================
 
-Connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16 using "protocol: UDP"
+Connections are allowed from vsi1-ky[10.240.10.4] to Service Network 161.26.0.0/16 using "protocol: UDP"
 
 Path:
 	vsi1-ky[10.240.10.4] -> security group sg1-ky -> network ACL acl1-ky -> subnet subnet1-ky -> 
-	PublicGateway public-gw-ky -> 
-	Public Internet 161.26.0.0/16
+	ServiceNetwork serviceNetwork -> 
+	Service Network 161.26.0.0/16
 
 
 Details:

diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_detail.txt
@@ -3,12 +3,12 @@ Interpreted source(s): vsi1-ky[10.240.10.4]
 Interpreted destination(s): 161.26.0.0/16 (external)
 ===============================================================================================
 
-Connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16 using "protocol: UDP"
+Connections are allowed from vsi1-ky[10.240.10.4] to Service Network 161.26.0.0/16 using "protocol: UDP"
 
 Path:
 	vsi1-ky[10.240.10.4] -> security group sg1-ky -> network ACL acl1-ky -> subnet subnet1-ky -> 
-	PublicGateway public-gw-ky -> 
-	Public Internet 161.26.0.0/16
+	ServiceNetwork serviceNetwork -> 
+	Service Network 161.26.0.0/16
 
 
 Details:

diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_detail.txt
@@ -3,12 +3,12 @@ Interpreted source(s): vsi1-ky[10.240.10.4]
 Interpreted destination(s): 161.26.0.0/16 (external)
 ====================================================================================================================================
 
-Connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16 using "protocol: UDP src-ports: 10-100 dst-ports: 443"
+Connections are allowed from vsi1-ky[10.240.10.4] to Service Network 161.26.0.0/16 using "protocol: UDP src-ports: 10-100 dst-ports: 443"
 
 Path:
 	vsi1-ky[10.240.10.4] -> security group sg1-ky -> network ACL acl1-ky -> subnet subnet1-ky -> 
-	PublicGateway public-gw-ky -> 
-	Public Internet 161.26.0.0/16
+	ServiceNetwork serviceNetwork -> 
+	Service Network 161.26.0.0/16
 
 
 Details:

diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_detail.txt
@@ -3,12 +3,12 @@ Interpreted source(s): vsi1-ky[10.240.10.4]
 Interpreted destination(s): 161.26.0.0/20 (external)
 ===========================================================================================================================================================================
 
-Connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/20 using "protocol: UDP src-ports: 10-100 dst-ports: 443"
+Connections are allowed from vsi1-ky[10.240.10.4] to Service Network 161.26.0.0/20 using "protocol: UDP src-ports: 10-100 dst-ports: 443"
 
 Path:
 	vsi1-ky[10.240.10.4] -> security group sg1-ky -> network ACL acl1-ky -> subnet subnet1-ky -> 
-	PublicGateway public-gw-ky -> 
-	Public Internet 161.26.0.0/20
+	ServiceNetwork serviceNetwork -> 
+	Service Network 161.26.0.0/20
 
 
 Details:

diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_detail.txt
@@ -3,12 +3,12 @@ Interpreted source(s): vsi1-ky[10.240.10.4]
 Interpreted destination(s): 161.26.0.0/12 (external)
 ================================================================================================================================
 
-Connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16 using "protocol: UDP src-ports: 10-100 dst-ports: 443"
+Connections are allowed from vsi1-ky[10.240.10.4] to Service Network 161.26.0.0/16 using "protocol: UDP src-ports: 10-100 dst-ports: 443"
 
 Path:
 	vsi1-ky[10.240.10.4] -> security group sg1-ky -> network ACL acl1-ky -> subnet subnet1-ky -> 
-	PublicGateway public-gw-ky -> 
-	Public Internet 161.26.0.0/16
+	ServiceNetwork serviceNetwork -> 
+	Service Network 161.26.0.0/16
 
 
 Details:

diff --git a/...ibmvpc/examples/out/explain_out/SGInternal3SrcToExternalGroup_all_vpcs_explain_detail.txt b/...ibmvpc/examples/out/explain_out/SGInternal3SrcToExternalGroup_all_vpcs_explain_detail.txt
@@ -3,7 +3,59 @@ Interpreted source(s): vsi3a-ky[10.240.30.5], vsi3b-ky[10.240.30.4], db-endpoint
 Interpreted destination(s): 161.26.0.0/8 (external)
 ===============================================================================
 
-No connectivity from db-endpoint-gateway-ky[10.240.30.6] to Public Internet 161.0.0.0/8;
+Connections from db-endpoint-gateway-ky[10.240.30.6] to Service Network 161.26.0.0/16: All Connections
+
+Path:
+	db-endpoint-gateway-ky[10.240.30.6] -> security group sg3-ky -> network ACL acl3-ky -> subnet subnet3-ky -> 
+	ServiceNetwork serviceNetwork -> 
+	Service Network 161.26.0.0/16
+
+
+Details:
+~~~~~~~~
+Path is enabled; The relevant rules are:
+	Egress:
+		security group sg3-ky allows connection with the following allow rules
+			id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all
+			id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp,  dstPorts: 1-65535
+			id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp,  dstPorts: 100-200
+		network ACL acl3-ky allows connection with the following allow rules
+			name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all
+
+TCP response is enabled; The relevant rules are:
+	Ingress:
+		network ACL acl3-ky allows connection with the following allow rules
+			name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all
+
+------------------------------------------------------------------------------------------------------------------------
+
+Connections from vsi3a-ky[10.240.30.5] to Service Network 161.26.0.0/16: All Connections
+
+Path:
+	vsi3a-ky[10.240.30.5] -> security group sg3-ky -> network ACL acl3-ky -> subnet subnet3-ky -> 
+	ServiceNetwork serviceNetwork -> 
+	Service Network 161.26.0.0/16
+
+
+Details:
+~~~~~~~~
+Path is enabled; The relevant rules are:
+	Egress:
+		security group sg3-ky allows connection with the following allow rules
+			id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all
+			id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp,  dstPorts: 1-65535
+			id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp,  dstPorts: 100-200
+		network ACL acl3-ky allows connection with the following allow rules
+			name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all
+
+TCP response is enabled; The relevant rules are:
+	Ingress:
+		network ACL acl3-ky allows connection with the following allow rules
+			name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all
+
+------------------------------------------------------------------------------------------------------------------------
+
+No connectivity from db-endpoint-gateway-ky[10.240.30.6] to Public Internet 161.0.0.0-161.25.255.255,161.27.0.0-161.255.255.255;
 	connection is blocked because there is no resource for external connectivity
 
 Egress: security group sg3-ky allows connection; network ACL acl3-ky allows connection
@@ -26,7 +78,7 @@ Path is disabled; The relevant rules are:
 
 ------------------------------------------------------------------------------------------------------------------------
 
-No connectivity from vsi3a-ky[10.240.30.5] to Public Internet 161.0.0.0/8;
+No connectivity from vsi3a-ky[10.240.30.5] to Public Internet 161.0.0.0-161.25.255.255,161.27.0.0-161.255.255.255;
 	connection is blocked because there is no resource for external connectivity
 
 Egress: security group sg3-ky allows connection; network ACL acl3-ky allows connection
@@ -49,7 +101,7 @@ Path is disabled; The relevant rules are:
 
 ------------------------------------------------------------------------------------------------------------------------
 
-No connectivity from vsi3b-ky[10.240.30.4] to Public Internet 161.0.0.0/8;
+No connectivity from vsi3b-ky[10.240.30.4] to Public Internet 161.0.0.0-161.25.255.255,161.27.0.0-161.255.255.255;
 	connection is blocked at egress and because there is no resource for external connectivity
 
 Egress: security group sg2-ky does not allow connection; network ACL acl3-ky allows connection
@@ -68,3 +120,23 @@ Path is disabled; The relevant rules are:
 
 ------------------------------------------------------------------------------------------------------------------------
 
+No connectivity from vsi3b-ky[10.240.30.4] to Service Network 161.26.0.0/16;
+	connection is blocked at egress
+
+External traffic via ServiceNetwork: serviceNetwork
+Egress: security group sg2-ky does not allow connection; network ACL acl3-ky allows connection
+
+Path:
+	vsi3b-ky[10.240.30.4] -> | security group sg2-ky |
+
+
+Details:
+~~~~~~~~
+Path is disabled; The relevant rules are:
+	Egress:
+		security group sg2-ky has no relevant rules
+		network ACL acl3-ky allows connection with the following allow rules
+			name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all
+
+------------------------------------------------------------------------------------------------------------------------
+
diff --git a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_detail.txt
@@ -3,12 +3,12 @@ Interpreted source(s): vsi1-ky[10.240.10.4]
 Interpreted destination(s): 161.26.0.0/16 (external)
 =========================================================================
 
-Connections from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16: protocol: UDP
+Connections from vsi1-ky[10.240.10.4] to Service Network 161.26.0.0/16: protocol: UDP
 
 Path:
 	vsi1-ky[10.240.10.4] -> security group sg1-ky -> network ACL acl1-ky -> subnet subnet1-ky -> 
-	PublicGateway public-gw-ky -> 
-	Public Internet 161.26.0.0/16
+	ServiceNetwork serviceNetwork -> 
+	Service Network 161.26.0.0/16
 
 
 Details:

diff --git a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG2_all_vpcs_explain.txt b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG2_all_vpcs_explain.txt
@@ -3,13 +3,13 @@ Interpreted source(s): 161.26.0.0/16 (external)
 Interpreted destination(s): vsi1-ky[10.240.10.4]
 =========================================================================
 
-No connectivity from Public Internet 161.26.0.0/16 to vsi1-ky[10.240.10.4];
+No connectivity from Service Network 161.26.0.0/16 to vsi1-ky[10.240.10.4];
 	connection is blocked at ingress and because there is no resource for external connectivity
 
 Ingress: network ACL acl1-ky allows connection; security group sg1-ky does not allow connection
 
 Path:
-	Public Internet 161.26.0.0/16 -> 
+	Service Network 161.26.0.0/16 -> 
 	| no resource for external connectivity |
 
 ------------------------------------------------------------------------------------------------------------------------

diff --git a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_detail.txt
@@ -3,12 +3,12 @@ Interpreted source(s): vsi1-ky[10.240.10.4]
 Interpreted destination(s): 161.26.0.0/32 (external)
 =========================================================================
 
-Connections from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/32: protocol: UDP
+Connections from vsi1-ky[10.240.10.4] to Service Network 161.26.0.0/32: protocol: UDP
 
 Path:
 	vsi1-ky[10.240.10.4] -> security group sg1-ky -> network ACL acl1-ky -> subnet subnet1-ky -> 
-	PublicGateway public-gw-ky -> 
-	Public Internet 161.26.0.0/32
+	ServiceNetwork serviceNetwork -> 
+	Service Network 161.26.0.0/32
 
 
 Details:

diff --git a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG4_all_vpcs_explain.txt b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG4_all_vpcs_explain.txt
@@ -3,9 +3,10 @@ Interpreted source(s): vsi3b-ky[10.240.30.4]
 Interpreted destination(s): 161.26.0.0/32 (external)
 ==========================================================================
 
-No connectivity from vsi3b-ky[10.240.30.4] to Public Internet 161.26.0.0/32;
-	connection is blocked at egress and because there is no resource for external connectivity
+No connectivity from vsi3b-ky[10.240.30.4] to Service Network 161.26.0.0/32;
+	connection is blocked at egress
 
+External traffic via ServiceNetwork: serviceNetwork
 Egress: security group sg2-ky does not allow connection; network ACL acl3-ky allows connection
 
 Path: