17 votesAndy Johnson commented
Agree, creating custom RBAC roles is somewhat of a pain. Would be nice if you had a RBAC Role builder UI, which could both a) browse permissions and b) evaluate roles and effective permissions for SPN's/accounts/whatever.
We’re working on planning this feature.
We understand the need for this capability and are looking at ways to solve this. At this time we do not have any timelines to share however but your comments help raise the priority for getting it done.- Altaf T
This remains on our long-term backlog as something we want to offer.
We don’t have plans to provide this in the near term. there’s a potential workaround by using VM’s with multiple interfaces. I’ve added documenting this scenario to our doc backlog.
— ChristianAndy Johnson commented
Yes, this is a really common problem, I am surprised it's not addressed in ILB. You don't even need multiple services to trigger this bug: a single VIP, serving two VM's. If your VM's have to make a self-referencing call (to the ILB VIP), the Source NAT rules don't treat it any differently!
This means if VM1(client) makes call to ILB VIP, and ILB VIP load balances back to VM1(server), the *initial* SYN packet makes it's way to ILB VIP, no problem. When the ILB VIP forwards the packet to VM1(server), the Source NAT steps in, and changes the source IP to become VM1 (just, likely with a different port, for translation purposes). VM1(server) replies to that packet, but since the reply destination is ITS OWN IP, it doesn't leave the network interface.
I am pretty sure most mature load balancers address this by performing NAT translation of any requests coming from the real servers, with a destination of any of the hosted VIPs, to an IP address OTHER than their own.