VPN connection from build-vpn to Amazon VPC



7 years ago
3 years ago


(Reporter: joduinn, Assigned: jstevensen)



(Whiteboard: [in-progress secreview][start mm/dd/yyyy][target mm/dd/yyyy])

Talked about this with mcoates earlier this week. 

Please copy these questions into the bug and answer inline.
* Who is/are the point of contact(s) for this review?
:joduinn, ravi

* Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):
Short version is: we'd like to setup a VPN connection from build network out to Amazon VPC. This is similar to what was done for weave/sync services previously.

* Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:

user doc: http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide/
sysadmin doc: http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide/
"wire up Amazon EC2 VPC to weave-dev" https://bugzilla.mozilla.org/show_bug.cgi?id=605862

* Does this request block another bug? If so, please indicate the bug number
bunch of work, none of these bugs filed yet.

* This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
asap. see below.

* Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)
* Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?

* Are there any portions of the project that interact with 3rd party services?
Amazon EC2/VPC

* Will your application/service collect user data? If so, please describe 

* If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):

* Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite. 
asap?! :-) Once we have this VPN connection in place, we've a long evaluation/test cycle with AMIs to complete before we know if this approach really works for us, or we need to fallback to a different plan, which has an even longer rollout. Hence the urgency to confirm if this works or not.

please invite: joduinn, ravi.
Assignee: nobody → jstevensen
Component: Security Assurance: Review Needed → Security Assurance: Operations
1) ravi + i met w/infrasec and got initial "ok to proceed" setting up VPN<->VPC. 

2) Bug#745048 tracks that work and is now fixed.

3) Is there any testing that infrasec wants to do against the new VPC to verify integrity? Or, put another way: Are we all done here with this bug?
Depends on: 745048

Comment 2

7 years ago
Prior to deploying build systems in the VPC, we'd like to take a look at the VPC firewall policies. This could be addressed in a new bug or the current.
Keywords: sec-review-needed
Whiteboard: [pending secreview] → [in-progress secreview][start mm/dd/yyyy][target mm/dd/yyyy]

Comment 3

7 years ago

Have you setup the Releng VPC yet? Please keep us posted.

Comment 4

7 years ago
Closing this bug. We met about Amazon VPC, discussed our requirements. If we go down the VPC route, please file a bug prior to deploying releng systems, in order to have the VPC reviewed by OpSec.
Last Resolved: 7 years ago
Resolution: --- → FIXED
Component: Operations Security (OpSec): General → General
Product: mozilla.org → Enterprise Information Security
You need to log in before you can comment on or make changes to this bug.