17 votesAndy Johnson commented
Agree, creating custom RBAC roles is somewhat of a pain. Would be nice if you had a RBAC Role builder UI, which could both a) browse permissions and b) evaluate roles and effective permissions for SPN's/accounts/whatever.
Thank you for suggesting this. This is in feature backlog and we’re looking at this again now.
This remains on our long-term backlog as something we want to offer.- Altaf T
This remains on our long-term backlog as something we want to offer.
Thank you for the submission. We’re looking at supporting this as an option to enable.Andy Johnson commented
Yes, this is a really common problem, I am surprised it's not addressed in ILB. You don't even need multiple services to trigger this bug: a single VIP, serving two VM's. If your VM's have to make a self-referencing call (to the ILB VIP), the Source NAT rules don't treat it any differently!
This means if VM1(client) makes call to ILB VIP, and ILB VIP load balances back to VM1(server), the *initial* SYN packet makes it's way to ILB VIP, no problem. When the ILB VIP forwards the packet to VM1(server), the Source NAT steps in, and changes the source IP to become VM1 (just, likely with a different port, for translation purposes). VM1(server) replies to that packet, but since the reply destination is ITS OWN IP, it doesn't leave the network interface.
I am pretty sure most mature load balancers address this by performing NAT translation of any requests coming from the real servers, with a destination of any of the hosted VIPs, to an IP address OTHER than their own.