Closed Bug 1210137 Opened 9 years ago Closed 8 years ago

restrict outbound flows from AWS

Categories

(Infrastructure & Operations :: RelOps: General, task)

Product:
Infrastructure & Operations
Component:
RelOps: General
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: dustin, Assigned: dustin)

References

Details

Right now, all of our AWS security groups allow anything outbound.

Now that we've written a full set of tests for outbound access, we can confidently start to write some SG rules for outbound access, too.

..and once that's done, we can pretty easily fix up the routing tables to send everything not destined to 10.0.0.0/8 out the IGW, confident that we're not losing any filtering.
Applied to
  tst-emulator64-spot-302
  bld-linux64-spot-385
  bld-linux64-spot-389
  try-linux64-spot-409
  try-linux64-spot-301
  tst-linux32-spot-301
  tst-linux32-spot-303
  tst-linux32-spot-305
OK, spotted one thing: stage.mozilla.org isn't accessible.  I've added the Mozilla public IP space.
With that change, things are looking pretty good.
https://github.com/mozilla/build-cloud-tools/pull/123

Still to do: all the other VLANs (masters, nagios, etc.).  At least those aren't spot instances, so we can statically switch a few hosts over at a time to the new groups and look for problems.  Also, they have far fewer outgoing flows!
I landed that just for test so far -- I'll loop back shortly and land for try/build.
Landed for build/try now, too.
So the remaining bit here is to change all of the other security groups over.  They are all for servers, so it's a bit easier to "test" one or two instances since they can just be reassigned in the UI without hoping the spot instance lives on.  All of the required flows are in https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=43723701
I'm disinclined to finish this -- it's a fair bit of fairly risky work, although nothing too bad, but ultimately nothing is driving it.  Anyone is free to reopen and take care of this if it becomes useful.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.