Add route to bounceradmin.mozilla.com (52.26.59.232)

RESOLVED WONTFIX

Status

Infrastructure & Operations
Mozilla VPN: ACL requests
RESOLVED WONTFIX
3 years ago
3 years ago

People

(Reporter: nthomas, Unassigned)

Tracking

Details

(Reporter)

Description

3 years ago
Since bug 1211734 moved download.m.o to AWS I can no longer reach bounceradmin.mozilla.com. I can open a connection from machines in the RelEng network, but not from my laptop. Probably this is because new ip (52.26.59.232) is not advertised by the VPN routing config (I've tried bouncing the VPN).

oremj, do I need some new ldap group-membership for this, or am I just the first non-cloudops remotie to attempt access since the move ?
Flags: needinfo?(oremj)
(Reporter)

Comment 1

3 years ago
Also, if this didn't show up while Rail was testing, does that mean that offices have blanket access to this host ? If so, we should lock it down to a minimal set of people.
Assignee: infra → vpn-acl
Component: Infrastructure: OpenVPN → Mozilla VPN: ACL requests
QA Contact: jdow → cshields

Comment 2

3 years ago
I've added the route to the vpn configuration. I'm not sure about ACLs. Is there any type of auth configured on the host? What group of people should be allowed to reach it through vpn? I'm guessing if it works in the offices, then that's an office network ACL allowing it and not the VPN, but not sure.

Also, since I just now added the route, but haven't made any other changes, this might still not work for you, as normally it's a route and an ACL group needed, but I don't want to add an ACL group until I know who all should be in it, or if the ACL should be added to an existing group.

Comment 3

3 years ago
The problem here is, the admin interface is fronted by an ELB, so the IP is not static. So far, we've whitelisted 63.245.214.82/32 and 63.245.214.169/32. The long term plan is #2 in bug 1209161.
Flags: needinfo?(oremj)
(Reporter)

Comment 4

3 years ago
Thanks jabba, I see the route now. You're right that it's not enough as the connection doesn't open, but the IP shifted to 52.25.71.151.

Should we back out the change for 52.26.59.232 and .. er .. WONTFIX this in favour of bug 1209161 ? In the meantime I can proxy via a machine in the RelEng network.

Comment 5

3 years ago
Works for me. I've backed out the change.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.