np-guard · ShiriMoran · Sep 9, 2024 · Sep 8, 2024 · Sep 8, 2024 · Sep 8, 2024
diff --git a/cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt b/cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from 10.240.10.4 to vsi2-ky within test-vpc1-ky
-Interpreted source: vsi1-ky[10.240.10.4]
-Interpreted destination: vsi2-ky[10.240.20.4]
+Interpreted source(s): vsi1-ky[10.240.10.4]
+Interpreted destination(s): vsi2-ky[10.240.20.4]
 =======================================================================
 
 Connections from vsi1-ky[10.240.10.4] to vsi2-ky[10.240.20.4]: protocol: TCP,UDP

diff --git a/cmd/analyzer/subcmds/explain.go b/cmd/analyzer/subcmds/explain.go
@@ -27,8 +27,8 @@ const (
 	dstMaxPortFlag = "dst-max-port"
 	detailFlag     = "detail"
 
-	srcDstUsage = "endpoint; can be specified as a VSI name/CRN or an internal/external IP-address/CIDR;\n" +
-		"VSI name can be specified as <vsi-name> or  <vpc-name>/<vsi-name>"
+	srcDstUsage = "endpoint; can be specified as a VSI/subnet name/CRN or an internal/external IP-address/CIDR;\n" +
+		"VSI/subnet name can be specified as <vsi-name/subnet-name> or as <vpc-name>/<vsi-name/subnet-name>"
 )
 
 func NewExplainCommand(args *inArgs) *cobra.Command {

diff --git a/docs/vpcanalyzer_explain.md b/docs/vpcanalyzer_explain.md
@@ -20,10 +20,10 @@ vpcanalyzer explain [flags]
 ### Options
 
 ```
-      --src string         source endpoint for explanation; can be specified as a VSI name/CRN or an internal/external IP-address/CIDR;
-                           VSI name can be specified as <vsi-name> or  <vpc-name>/<vsi-name>
-      --dst string         destination endpoint for explanation; can be specified as a VSI name/CRN or an internal/external IP-address/CIDR;
-                           VSI name can be specified as <vsi-name> or  <vpc-name>/<vsi-name>
+      --src string         source endpoint for explanation; can be specified as a VSI/subnet name/CRN or as an internal/external IP-address/CIDR;
+                           VSI/subnet name can be specified as <vsi-name/subnet-name> or as <vpc-name>/<vsi-name/subnet-name>
+      --dst string         destination endpoint for explanation; can be specified as a VSI/subnet name/CRN or as an internal/external IP-address/CIDR;
+                           VSI/subnet name can be specified as <vsi-name/subnet-name> or as <vpc-name>/<vsi-name/subnet-name>
       --protocol string    protocol for connection description
       --src-min-port int   minimum source port for connection description (default 1)
       --src-max-port int   maximum source port for connection description (default 65535)

diff --git a/pkg/awsvpc/examples/out/explain_out/from_external_public_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/from_external_public_subnet_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from 147.235.0.0/16 to 10.240.0.96 within mixed
-Interpreted source: 147.235.0.0/16 (external)
-Interpreted destination: p3[10.240.0.96]
+Interpreted source(s): 147.235.0.0/16 (external)
+Interpreted destination(s): p3[10.240.0.96]
 =======================================================================
 
 Connections from Public Internet 147.235.0.0/16 to p3[10.240.0.96]: protocol: TCP dst-ports: 9080

diff --git a/pkg/awsvpc/examples/out/explain_out/ip_to_ip_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/ip_to_ip_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from 10.240.40.217 to 10.240.20.43 within vpc0
-Interpreted source: dashboard[10.240.40.217]
-Interpreted destination: app2[10.240.20.43]
+Interpreted source(s): dashboard[10.240.40.217]
+Interpreted destination(s): app2[10.240.20.43]
 ======================================================================
 
 Connections from dashboard[10.240.40.217] to app2[10.240.20.43]: All Connections

diff --git a/pkg/awsvpc/examples/out/explain_out/nacl_blocking_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/nacl_blocking_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from 10.240.2.28 to 10.240.32.122 within mixed
-Interpreted source: p2[10.240.2.28]
-Interpreted destination: q2[10.240.32.122]
+Interpreted source(s): p2[10.240.2.28]
+Interpreted destination(s): q2[10.240.32.122]
 ======================================================================
 
 No connections from p2[10.240.2.28] to q2[10.240.32.122];

diff --git a/...wsvpc/examples/out/explain_out/same_subnet_partial_connection_all_vpcs_explain_detail.txt b/...wsvpc/examples/out/explain_out/same_subnet_partial_connection_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from 10.240.32.122 to 10.240.32.91 within mixed
-Interpreted source: q2[10.240.32.122]
-Interpreted destination: q1[10.240.32.91]
+Interpreted source(s): q2[10.240.32.122]
+Interpreted destination(s): q1[10.240.32.91]
 =======================================================================
 
 Connections from q2[10.240.32.122] to q1[10.240.32.91]: protocol: UDP

diff --git a/pkg/awsvpc/examples/out/explain_out/subnet_to_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/subnet_to_subnet_all_vpcs_explain_detail.txt
@@ -0,0 +1,62 @@
+Explaining connectivity from private2 to private1 within mixed
+Interpreted source(s): r1[10.240.48.198]
+Interpreted destination(s): q2[10.240.32.122], q1[10.240.32.91]
+==============================================================
+
+Connections from r1[10.240.48.198] to q1[10.240.32.91]: No Connections
+
+Path:
+	r1[10.240.48.198] -> security group GroupId:22 -> network ACL acl1 -> subnet private2 -> 
+	subnet private1 -> network ACL acl1 -> security group GroupId:15 -> q1[10.240.32.91]
+
+
+Details:
+~~~~~~~~
+Path is disabled; The relevant rules are:
+	Egress:
+		security group GroupId:22 allows connection with the following allow rules
+			Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: tcp, dstPorts: 9080-9080
+		network ACL acl1 allows connection with the following allow rules
+			ruleNumber: 20, action: allow, direction: outbound, cidr: 10.240.32.0/19, protocol: all
+
+	Ingress:
+		network ACL acl1 allows connection with the following allow rules
+			ruleNumber: 20, action: allow, direction: inbound, cidr: 10.240.32.0/19, protocol: all
+		security group GroupId:15 allows connection with the following allow rules
+			Inbound index: 0, direction: inbound, target: 0.0.0.0/0, protocol: udp, dstPorts: 0-65535
+
+------------------------------------------------------------------------------------------------------------------------
+
+Connections from r1[10.240.48.198] to q2[10.240.32.122]: protocol: TCP dst-ports: 9080
+
+Path:
+	r1[10.240.48.198] -> security group GroupId:22 -> network ACL acl1 -> subnet private2 -> 
+	subnet private1 -> network ACL acl1 -> security group GroupId:9 -> q2[10.240.32.122]
+
+
+Details:
+~~~~~~~~
+Path is enabled; The relevant rules are:
+	Egress:
+		security group GroupId:22 allows connection with the following allow rules
+			Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: tcp, dstPorts: 9080-9080
+		network ACL acl1 allows connection with the following allow rules
+			ruleNumber: 20, action: allow, direction: outbound, cidr: 10.240.32.0/19, protocol: all
+
+	Ingress:
+		network ACL acl1 allows connection with the following allow rules
+			ruleNumber: 20, action: allow, direction: inbound, cidr: 10.240.32.0/19, protocol: all
+		security group GroupId:9 allows connection with the following allow rules
+			Inbound index: 0, direction: inbound, target: 10.240.0.0/18, protocol: all
+
+TCP response is enabled; The relevant rules are:
+	Egress:
+		network ACL acl1 allows connection with the following allow rules
+			ruleNumber: 20, action: allow, direction: outbound, cidr: 10.240.32.0/19, protocol: all
+
+	Ingress:
+		network ACL acl1 allows connection with the following allow rules
+			ruleNumber: 20, action: allow, direction: inbound, cidr: 10.240.32.0/19, protocol: all
+
+------------------------------------------------------------------------------------------------------------------------
+
diff --git a/...mples/out/explain_out/to_external_blocked_only_private_subnet_all_vpcs_explain_detail.txt b/...mples/out/explain_out/to_external_blocked_only_private_subnet_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from 10.240.20.245 to 161.26.0.0 within vpc0
-Interpreted source: app1[10.240.20.245]
-Interpreted destination: 161.26.0.0 (external)
+Interpreted source(s): app1[10.240.20.245]
+Interpreted destination(s): 161.26.0.0 (external)
 ====================================================================
 
 No connections from app1[10.240.20.245] to Public Internet 161.26.0.0/32;

diff --git a/pkg/awsvpc/examples/out/explain_out/to_external_private_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/to_external_private_subnet_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from 10.240.20.245 to 161.26.0.0 within vpc0
-Interpreted source: app1[10.240.20.245]
-Interpreted destination: 161.26.0.0 (external)
+Interpreted source(s): app1[10.240.20.245]
+Interpreted destination(s): 161.26.0.0 (external)
 ====================================================================
 
 No connections from app1[10.240.20.245] to Public Internet 161.26.0.0/32;

diff --git a/pkg/awsvpc/examples/out/explain_out/to_external_public_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/to_external_public_subnet_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from 10.240.10.42 to 161.26.0.0 within vpc0
-Interpreted source: proxy[10.240.10.42]
-Interpreted destination: 161.26.0.0 (external)
+Interpreted source(s): proxy[10.240.10.42]
+Interpreted destination(s): 161.26.0.0 (external)
 ===================================================================
 
 Connections from proxy[10.240.10.42] to Public Internet 161.26.0.0/32: All Connections

diff --git a/pkg/awsvpc/explainability_test.go b/pkg/awsvpc/explainability_test.go
@@ -34,6 +34,7 @@ var explainTests = []*commonvpc.VpcGeneralTest{
 		DetailExplain: true,
 	},
 	// existing sub-connection between two endpoints of the same subnet
+	// todo: https://github.com/np-guard/vpc-network-config-analyzer/issues/859
 	{
 		Name:          "same_subnet_partial_connection",
 		InputConfig:   "aws_mixed",
@@ -44,10 +45,10 @@ var explainTests = []*commonvpc.VpcGeneralTest{
 	},
 	// no connection between two endpoints of the same subnet
 	{
-		Name:          "same_subnet_no_connection",
+		Name:          "subnet_to_subnet",
 		InputConfig:   "aws_mixed",
-		ESrc:          "10.240.0.96",
-		EDst:          "10.240.3.70",
+		ESrc:          "private2",
+		EDst:          "private1",
 		Format:        vpcmodel.Text,
 		DetailExplain: true,
 	},

diff --git a/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain.txt b/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from vsi1-ky to 161.26.0.0/8 within test-vpc1-ky
-Interpreted source: vsi1-ky[10.240.10.4]
-Interpreted destination: 161.26.0.0/8 (external)
+Interpreted source(s): vsi1-ky[10.240.10.4]
+Interpreted destination(s): 161.26.0.0/8 (external)
 ========================================================================
 
 Connections from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16: protocol: UDP

diff --git a/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from 10.240.10.4 to 161.26.0.0/8 within test-vpc1-ky
-Interpreted source: vsi1-ky[10.240.10.4]
-Interpreted destination: 161.26.0.0/8 (external)
+Interpreted source(s): vsi1-ky[10.240.10.4]
+Interpreted destination(s): 161.26.0.0/8 (external)
 ============================================================================
 
 Connections from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16: protocol: UDP

diff --git a/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from 192.168.8.4 to 192.168.4.4 within ky-test-vpc
-Interpreted source: iks-node[192.168.8.4]
-Interpreted destination: iks-node[192.168.4.4]
+Interpreted source(s): iks-node[192.168.8.4]
+Interpreted destination(s): iks-node[192.168.4.4]
 ==========================================================================
 
 Connections from iks-node[192.168.8.4] to iks-node[192.168.4.4]: All Connections

diff --git a/pkg/ibmvpc/examples/out/explain_out/LBToIksNode_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/LBToIksNode_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca to 192.168.4.4 within ky-test-vpc
-Interpreted source: kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.16.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.0.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.32.0-192.168.32.4,192.168.32.6-192.168.35.255], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.4.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.36.6], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.20.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.8.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.24.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.40.6]
-Interpreted destination: iks-node[192.168.4.4]
+Interpreted source(s): kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.16.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.0.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.32.0-192.168.32.4,192.168.32.6-192.168.35.255], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.4.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.36.6], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.20.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.8.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.24.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.40.6]
+Interpreted destination(s): iks-node[192.168.4.4]
 ================================================================================================================
 
 Connections from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.36.6] to iks-node[192.168.4.4]: protocol: TCP,UDP dst-ports: 30000-32767

diff --git a/pkg/ibmvpc/examples/out/explain_out/LBToResIPNode_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/LBToResIPNode_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca to 192.168.32.5 within ky-test-vpc
-Interpreted source: kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.16.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.0.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.32.0-192.168.32.4,192.168.32.6-192.168.35.255], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.4.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.36.6], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.20.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.8.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.24.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.40.6]
-Interpreted destination: iks-clusterid:1[192.168.32.5]
+Interpreted source(s): kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.16.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.0.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.32.0-192.168.32.4,192.168.32.6-192.168.35.255], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.4.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.36.6], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.20.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.8.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.24.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.40.6]
+Interpreted destination(s): iks-clusterid:1[192.168.32.5]
 =================================================================================================================
 
 No connections from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.36.6] to iks-clusterid:1[192.168.32.5];

diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from vsi1-ky to 161.26.0.0/16 within test-vpc1-ky
-Interpreted source: vsi1-ky[10.240.10.4]
-Interpreted destination: 161.26.0.0/16 (external)
+Interpreted source(s): vsi1-ky[10.240.10.4]
+Interpreted destination(s): 161.26.0.0/16 (external)
 =========================================================================
 
 Connections from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16: protocol: UDP

diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from vsi1-ky to 100.128.0.0/32 within test-vpc1-ky
-Interpreted source: vsi1-ky[10.240.10.4]
-Interpreted destination: 100.128.0.0/32 (external)
+Interpreted source(s): vsi1-ky[10.240.10.4]
+Interpreted destination(s): 100.128.0.0/32 (external)
 ==========================================================================
 
 No connections from vsi1-ky[10.240.10.4] to Public Internet 100.128.0.0/32;

diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLExternal3_all_vpcs_explain.txt b/pkg/ibmvpc/examples/out/explain_out/NACLExternal3_all_vpcs_explain.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from 100.128.0.0/32 to vsi1-ky within test-vpc1-ky
-Interpreted source: 100.128.0.0/32 (external)
-Interpreted destination: vsi1-ky[10.240.10.4]
+Interpreted source(s): 100.128.0.0/32 (external)
+Interpreted destination(s): vsi1-ky[10.240.10.4]
 ==========================================================================
 
 No connections from Public Internet 100.128.0.0/32 to vsi1-ky[10.240.10.4];

diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from 10.240.10.4 to 161.26.0.0/15 within test-vpc1-ky
-Interpreted source: vsi1-ky[10.240.10.4]
-Interpreted destination: 161.26.0.0/15 (external)
+Interpreted source(s): vsi1-ky[10.240.10.4]
+Interpreted destination(s): 161.26.0.0/15 (external)
 =============================================================================
 
 Connections from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16: protocol: UDP

diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from 10.240.10.4 to vsi2-ky within test-vpc1-ky
-Interpreted source: vsi1-ky[10.240.10.4]
-Interpreted destination: vsi2-ky[10.240.20.4]
+Interpreted source(s): vsi1-ky[10.240.10.4]
+Interpreted destination(s): vsi2-ky[10.240.20.4]
 =======================================================================
 
 Connections from vsi1-ky[10.240.10.4] to vsi2-ky[10.240.20.4]: protocol: TCP,UDP

diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from vsi1-ky to 10.240.20.4 within test-vpc1-ky
-Interpreted source: vsi1-ky[10.240.10.4]
-Interpreted destination: vsi2-ky[10.240.20.4]
+Interpreted source(s): vsi1-ky[10.240.10.4]
+Interpreted destination(s): vsi2-ky[10.240.20.4]
 =======================================================================
 
 Connections from vsi1-ky[10.240.10.4] to vsi2-ky[10.240.20.4]: protocol: TCP,UDP

diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from vsi2-ky to 10.240.10.4 within test-vpc1-ky
-Interpreted source: vsi2-ky[10.240.20.4]
-Interpreted destination: vsi1-ky[10.240.10.4]
+Interpreted source(s): vsi2-ky[10.240.20.4]
+Interpreted destination(s): vsi1-ky[10.240.10.4]
 =======================================================================
 
 Connections from vsi2-ky[10.240.20.4] to vsi1-ky[10.240.10.4]: All Connections

diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from vsi1-ky to vsi3a-ky within test-vpc1-ky
-Interpreted source: vsi1-ky[10.240.10.4]
-Interpreted destination: vsi3a-ky[10.240.30.5]
+Interpreted source(s): vsi1-ky[10.240.10.4]
+Interpreted destination(s): vsi3a-ky[10.240.30.5]
 ====================================================================
 
 No connections from vsi1-ky[10.240.10.4] to vsi3a-ky[10.240.30.5];

diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from vsi3b-ky to vsi3a-ky within test-vpc1-ky
-Interpreted source: vsi3b-ky[10.240.30.6]
-Interpreted destination: vsi3a-ky[10.240.30.5]
+Interpreted source(s): vsi3b-ky[10.240.30.6]
+Interpreted destination(s): vsi3a-ky[10.240.30.5]
 =====================================================================
 
 Connections from vsi3b-ky[10.240.30.6] to vsi3a-ky[10.240.30.5]: All Connections

diff --git a/...ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_detail.txt b/...ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from vsi3b-ky to 10.240.30.4/26 within test-vpc1-ky
-Interpreted source: vsi3b-ky[10.240.30.6]
-Interpreted destination: vsi3a-ky[10.240.30.5], vsi3c-ky[10.240.30.4], vsi3b-ky[10.240.30.6], db-endpoint-gateway-ky[10.240.30.7]
+Interpreted source(s): vsi3b-ky[10.240.30.6]
+Interpreted destination(s): vsi3a-ky[10.240.30.5], vsi3c-ky[10.240.30.4], vsi3b-ky[10.240.30.6], db-endpoint-gateway-ky[10.240.30.7]
 ===========================================================================
 
 Connections from vsi3b-ky[10.240.30.6] to db-endpoint-gateway-ky[10.240.30.7]: All Connections

diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from vsi1-ky to vsi2-ky within test-vpc1-ky using "protocol: ICMP"
-Interpreted source: vsi1-ky[10.240.10.4]
-Interpreted destination: vsi2-ky[10.240.20.4]
+Interpreted source(s): vsi1-ky[10.240.10.4]
+Interpreted destination(s): vsi2-ky[10.240.20.4]
 ==========================================================================================
 
 No connections from vsi1-ky[10.240.10.4] to vsi2-ky[10.240.20.4] using "protocol: ICMP";

diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_detail.txt
@@ -1,6 +1,6 @@
 Explaining connectivity from vsi1-ky to 161.26.0.0/16 within test-vpc1-ky using "protocol: UDP"
-Interpreted source: vsi1-ky[10.240.10.4]
-Interpreted destination: 161.26.0.0/16 (external)
+Interpreted source(s): vsi1-ky[10.240.10.4]
+Interpreted destination(s): 161.26.0.0/16 (external)
 ===============================================================================================
 
 Connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16 using "protocol: UDP src-ports: 1-600 dst-ports: 1-50"