Known issues for security groups and network ACLs
Known issues are identified bugs or unexpected behaviors that were not fixed before release, but weren’t critical enough to delay it. These issues are communicated to you, often with workarounds, and are prioritized for resolution in the near term by the development team.
Warning: Do NOT create a rule with a previously unsupported protocol value in your production environments until further notice. Creating a rule with these new protocol values anywhere in your VPC can break your existing
Kubernetes and OpenShift clusters. They can also break any other components that make security group or network ACL API requests via an SDK, or via a custom API client that does not handle these new protocol values properly. Work is ongoing
to resolve these issues. Until the known issues have been resolved, the UI and the current latest version of CLI will not allow rules with previously unsupported protocol values to be created.
Known issues for security groups and network ACLs are as follows:
- Security Group and Network ACL rules support for any protocol including issues with older SDKs, CLIs and Terraform providers:
- When a security group or network ACL rule is created with a
protocolvalue that was previously unsupported, there is an issue with old versions of some tools that use the API. The following tools may experience an error (crash) when retrieving or listing rules with a previously unsupportedprotocolvalue:- The IBM Cloud VPC Go SDK. For troubleshooting information, see the known issues.
- The
vpc-infrastructureplugin for the IBM Cloud CLI. To prevent errors, update to the latest version of thevpc-infrastructureplugin. - The Terraform provider for VPC. For troubleshooting, see Terraform on IBM Cloud FAQs.
- When a security group or network ACL rule is created with a
- Security Group and Network ACL rules with ESP protocol issue:
- Network traffic with the ESP protocol is currently supported by instances with generation 2 profiles. Instances with newer generation profiles, and all bare metal servers, do not currently support ESP traffic.
- Configuring a security group rule with a
protocolvalue ofesporanywill not allow ESP traffic when the security group targets a network interface for an instance with a newer generation profile or a bare metal server. - To avoid confusion about where ESP traffic is supported, the ESP protocol is not shown in the IBM Cloud console options for security group and network ACL rules. Support for ESP traffic on newer generation instance profiles and on bare metal servers may be available in a future release.
- Known issues for vpc-go-sdk:
- Security Group rules and Network ACL rules backward compatibility issue
- Publication date: 2025-12-18
- Affected component: vpc-go-sdk
- Affected operations: Security group rules and Network ACL rules
- Issue Summary: Following the new support for all IPv4 protocols for ACL and Security Group rules, earlier versions of the Golang SDK must
be updated to avoid the following parsing error when handling rules with the new protocols:
error unmarshalling vpcv1.SecurityGroupCollection: error unmarshalling property 'security_groups' as []vpcv1.SecurityGroup: error unmarshalling property 'rules' as []vpcv1.SecurityGroupRuleIntf: unrecognized value for discriminator property 'protocol': any - The patched SDKs implement the correct fallback behavior and error identifiers with the correct model name (for example, NetworkACLRule instead of NetworkACLRuleItem).
- Migration and mitigation: To mitigate this issue, migrate the
vpc-go-sdkto the latest version (v0.78.0) or any of the following patched versions: v0.77, v0.76, v0.75, v0.74, v0.73, v0.72, v0.71, v0.70, v0.69, or v0.68.
- Security Group rules and Network ACL rules backward compatibility issue