vShield Boundaries: Inside and Outside

I was looking for a simple definition for the Source and Destination boundaries in vShield.  They have two radio buttons marked “Inside” and “Outside,” but the documentation is pretty unclear until you understand what it means…but then you wouldn’t need the documentation…

Googling this, the only real definition I found was from a Markus Schmidt blog post in German.  That ended up right in my wheelhouse…

For English speakers who haven’t translated the article, setting the Source boundary to “Inside” means that you want the rule to apply to the object you entered into the Source field.  “Outside,” on the other hand, means you want the rule to apply to everything not a part of that group.

In Markus’s first example, he has his source set to renton.ifus.de and the Source boundary set to Inside; his destination is Win7Flex, and the destination boundary is Inside.  This means that the rule pertains to any traffic whose source matches renton.ifus.de and who is trying to communicate with a host in the Win7flex group.  The image indicates that traffic will be blocked.

If he had set the source boundary to Outside, that would block all traffic except for renton.ifus.de.