Closed
Bug 1210137
Opened 10 years ago
Closed 10 years ago
restrict outbound flows from AWS
Categories
(Infrastructure & Operations :: RelOps: General, task)
Infrastructure & Operations
RelOps: General
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: dustin, Assigned: dustin)
References
Details
Right now, all of our AWS security groups allow anything outbound.
Now that we've written a full set of tests for outbound access, we can confidently start to write some SG rules for outbound access, too.
..and once that's done, we can pretty easily fix up the routing tables to send everything not destined to 10.0.0.0/8 out the IGW, confident that we're not losing any filtering.
|
Assignee | |
Comment 1•10 years ago
|
||
|
|
Assignee | |
Comment 2•10 years ago
|
||
Applied to
tst-emulator64-spot-302
bld-linux64-spot-385
bld-linux64-spot-389
try-linux64-spot-409
try-linux64-spot-301
|
|
Assignee | |
Comment 3•10 years ago
|
||
tst-linux32-spot-301
tst-linux32-spot-303
tst-linux32-spot-305
|
|
Assignee | |
Comment 4•10 years ago
|
||
OK, spotted one thing: stage.mozilla.org isn't accessible. I've added the Mozilla public IP space.
|
|
Assignee | |
Comment 5•10 years ago
|
||
With that change, things are looking pretty good.
|
|
Assignee | |
Comment 6•10 years ago
|
||
https://github.com/mozilla/build-cloud-tools/pull/123
Still to do: all the other VLANs (masters, nagios, etc.). At least those aren't spot instances, so we can statically switch a few hosts over at a time to the new groups and look for problems. Also, they have far fewer outgoing flows!
|
|
Assignee | |
Comment 7•10 years ago
|
||
I landed that just for test so far -- I'll loop back shortly and land for try/build.
|
|
Assignee | |
Comment 8•10 years ago
|
||
Landed for build/try now, too.
|
|
Assignee | |
Comment 9•10 years ago
|
||
So the remaining bit here is to change all of the other security groups over. They are all for servers, so it's a bit easier to "test" one or two instances since they can just be reassigned in the UI without hoping the spot instance lives on. All of the required flows are in https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=43723701
|
|
Assignee | |
Comment 10•10 years ago
|
||
I'm disinclined to finish this -- it's a fair bit of fairly risky work, although nothing too bad, but ultimately nothing is driving it. Anyone is free to reopen and take care of this if it becomes useful.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•