790719 - Lots of flows for KMS

Status: RESOLVED FIXED

(Infrastructure & Operations Graveyard :: NetOps: DC ACL Request, task)

Description

[Dustin J. Mitchell [:dustin] (he/him)]

Windows updates are over tcp/1688

Everything windows needs to talk to this port, so we'll need access from entire vlans:
 vlan40 in scl1
 vlan69 in scl1, scl3, and phx1
to
 kms1.ad.mozilla.com:tcp/1688

It's quite possible that we'll eventually have other kms/wsus hosts, if that helps think about how to design the policy.  If you'd like to pre-allocate a block of IPs, we can move kms1.ad.mozilla.com into it pretty easily (it's not in prod yet).

Comment 1

[casey ransom [:casey]]

(In reply to Dustin J. Mitchell [:dustin] from comment #0)
> Windows updates are over tcp/1688
> 
> Everything windows needs to talk to this port, so we'll need access from
> entire vlans:
>  vlan40 in scl1
This has been added.
>  vlan69 in scl1, scl3, and phx1
These already existed in previous policies.
> to
>  kms1.ad.mozilla.com:tcp/1688
> 
> It's quite possible that we'll eventually have other kms/wsus hosts, if that
> helps think about how to design the policy.  If you'd like to pre-allocate a
> block of IPs, we can move kms1.ad.mozilla.com into it pretty easily (it's
> not in prod yet).

Unless we get into the dozens of kms hosts, I don't think it's necessary. The way projects tend to grow (and decay), carving out blocks of IPs ends up being a self defeating mental exercise and it's just simpler to add in groups of individual addresses rather than big blocks.

Comment 2

[Dustin J. Mitchell [:dustin] (he/him)]

For the record, these aren't windows update, these are for KMS (licensing).  I confused myself with the name.  The flows are still correct :)