During an audit of HTTPS-related things (cf T132521#2202245), it was noted that californium.wikimedia.org appears to only host one HTTP site (horizon.wikimedia.org), which is currently revproxied through the cache_misc cluster. If californium has no other reason that it needs to be on a public subnet, we should move it to an internal-subnet host to reduce its exposure to the wild Internet.
It's slightly off topic with californium being decommed, but things that are allocated for Cloud Services infrastructure are generally being moved into the public vlan. The reason for this is that we want to kill off the confusing security posture of the labs-support vlan. Treating all things that directly talk to the Cloud VPS OpenStack tenant VMs and the infrastructure that powers them as "public" from the point of view of the core Wikimedia network is much easier to reason about. The new labweb1001 and labweb1002 servers that are replacing californium and silver as the hosts of wikitech, horizon, and striker are an example of this. These services are all behind the misc varnish cluster, but the hosts themselves are in the public vlan. This is largely an artifact of the cognitive load that having small number of hosts that are not like anything else cause.