Page MenuHomePhabricator
Create Task
Maniphest T249022

Track and list the services that Cloud Services that connect to internal network endpoints
Closed, ResolvedPublic
Actions

Description

Develop and maintain a manifest of what Cloud Services are actually consuming as far as internal network endpoints for future virtualization, tracking and consideration.

A jump start on this with a specific goal is T207536: Move various support services for Cloud VPS currently in prod into their own instances
Current resources include this list (which needs an update on labstores): https://wikitech.wikimedia.org/wiki/Portal:Cloud_VPS/Admin/Neutron_ideal_model#supporting_services
An example config from our network management system is https://github.com/wikimedia/operations-homer-public/blob/master/templates/cr/firewall.conf#L1437

Related Objects
Search...

Event Timeline

Bstorm triaged this task as Medium priority.Mar 31 2020, 5:39 PM
Bstorm created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 31 2020, 5:39 PM
Bstorm added a parent task: T209460: CloudVPS: network architecture.Mar 31 2020, 6:01 PM
Bstorm updated the task description. (Show Details)
Bstorm added a comment.Mar 31 2020, 6:14 PM

Right away, I see that there are services in homer that have been decommissioned.
I see:

  • labstore1001/2/3 T187456 (replaced by cloudstore1008/9, which live in the public network)
  • labsdb1004/5/6/7 T216749 T220144 (all now on VMs)

Besides that:

  • dbproxy's for the wikireplicas are changing, which might just need a labeling change in comments T231520
  • port restrictions for labstores may have changed as a result of https://gerrit.wikimedia.org/r/c/operations/puppet/+/571821, which makes the labstore1004/5 set more firmly nfsv4 than they were. We may be able to close some of those ports that are currently open.
JHedden assigned this task to Bstorm.May 5 2020, 4:49 PM
JHedden subscribed.

Check if we have any netflow data from the network devices that would allow us to query src and dest traffic

ayounsi added a comment.EditedMay 6 2020, 11:29 AM

Note that we only have netflow at our borders, and we sample 1:1000 so it might not be the right tool for now.

There are several options though:

Bstorm moved this task from Inbox to Doing on the cloud-services-team (Kanban) board.Jun 2 2020, 4:39 PM
Bstorm moved this task from Doing to Inbox on the cloud-services-team (Kanban) board.Oct 15 2020, 9:03 PM
aborrero edited parent tasks, added: T272395: Cloud: reduce NAT exceptions from cloud to production; removed: T209460: CloudVPS: network architecture.Jan 19 2021, 4:06 PM
aborrero closed this task as Resolved.Jan 19 2021, 4:08 PM
aborrero claimed this task.
aborrero subscribed.

Done in T267779: CloudVPS: detail list of dmz_cidr optional NAT addresses to avoid reaching everything in production with internal private VM addresses

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL