From bc2b19f387a1399fa827e159ac98fd8bd3613979 Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Fri, 19 Sep 2025 10:33:50 +0200
Subject: [PATCH] Clarification of Network ACL rules and Security group rules

---
 source/adminguide/networking/security_groups.rst             | 5 +++++
 .../adminguide/networking/virtual_private_cloud_config.rst   | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/source/adminguide/networking/security_groups.rst b/source/adminguide/networking/security_groups.rst
index 241ef1c1ff..e17a878f91 100644
--- a/source/adminguide/networking/security_groups.rst
+++ b/source/adminguide/networking/security_groups.rst
@@ -216,6 +216,11 @@ Adding Ingress and Egress Rules to a Security Group
 #. Click Add.
 
 
+.. note::
+- If there is no Egress rule in a Security Group, all the outgoing traffic will be allowed
+- If there are Egress rules in a Security Group, only the outgoing traffic which match a Egress rule will be allowed
+- Only the incoming traffic which match a Ingress rule will be allowed
+
 .. |httpaccess.png| image:: /_static/images/http-access.png
    :alt: allows inbound HTTP access from anywhere.
 
diff --git a/source/adminguide/networking/virtual_private_cloud_config.rst b/source/adminguide/networking/virtual_private_cloud_config.rst
index 9edcc5c591..c656128bd8 100644
--- a/source/adminguide/networking/virtual_private_cloud_config.rst
+++ b/source/adminguide/networking/virtual_private_cloud_config.rst
@@ -355,6 +355,8 @@ Afterwards traffic can be white- or blacklisted.
 - ACL rules for ingress and egress are not correlating. For example a
   egress "deny all" won't affect traffic in response to an allowed ingress
   connection
+- The incoming traffic which does not match any ACL rules will be denied
+- The outgoing traffic which does not match any ACL rules will be allowed
   
 
 Creating ACLs