A Shared Network in CloudStack can be used to assign public IPs to guest VM instances instead of internal private IPs. A Guest VM with a routable public IP is directly reachable from the Internet without using any NAT services. Services providers usually create a one or more shared networks with public subnets to provide VPS/shared hosting services for their customers. Please also see earlier post on CloudStack Shared Networks.
For guest instances which are on a VLAN based Isolated Network, the CloudStack managed virtual router (VR) provides NAT/SNAT and firewall services. Users can modify the Network ACLs directly from the CloudStack UI. Virtual routers however, cannot be used as firewall on shared networks as they are directly accessible from the Internet.
So what options are available to provide firewall services in shared networks?