Closed Bug 1216008 Opened 9 years ago Closed 9 years ago

Add route to bounceradmin.mozilla.com (52.26.59.232)

Categories

(Infrastructure & Operations :: Corporate VPN: ACL requests, task)

Product:
Infrastructure & Operations
Component:
Corporate VPN: ACL requests
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: nthomas, Unassigned)

References

Details

Since bug 1211734 moved download.m.o to AWS I can no longer reach bounceradmin.mozilla.com. I can open a connection from machines in the RelEng network, but not from my laptop. Probably this is because new ip (52.26.59.232) is not advertised by the VPN routing config (I've tried bouncing the VPN).

oremj, do I need some new ldap group-membership for this, or am I just the first non-cloudops remotie to attempt access since the move ?
Flags: needinfo?(oremj)
Also, if this didn't show up while Rail was testing, does that mean that offices have blanket access to this host ? If so, we should lock it down to a minimal set of people.
Assignee: infra → vpn-acl
Component: Infrastructure: OpenVPN → Mozilla VPN: ACL requests
QA Contact: jdow → cshields
I've added the route to the vpn configuration. I'm not sure about ACLs. Is there any type of auth configured on the host? What group of people should be allowed to reach it through vpn? I'm guessing if it works in the offices, then that's an office network ACL allowing it and not the VPN, but not sure.

Also, since I just now added the route, but haven't made any other changes, this might still not work for you, as normally it's a route and an ACL group needed, but I don't want to add an ACL group until I know who all should be in it, or if the ACL should be added to an existing group.
The problem here is, the admin interface is fronted by an ELB, so the IP is not static. So far, we've whitelisted 63.245.214.82/32 and 63.245.214.169/32. The long term plan is #2 in bug 1209161.
Flags: needinfo?(oremj)
Thanks jabba, I see the route now. You're right that it's not enough as the connection doesn't open, but the IP shifted to 52.25.71.151.

Should we back out the change for 52.26.59.232 and .. er .. WONTFIX this in favour of bug 1209161 ? In the meantime I can proxy via a machine in the RelEng network.
Works for me. I've backed out the change.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.