Making a separate ticket out of https://phabricator.wikimedia.org/T220505#5433228:
For the initial (pre-puppet run) SSH access we currently use install_console from the Cumin hosts or Puppet masters. Per @Andrew 's comment from above task this doesn't work to connect to e.g. cloudvirt. Is there any router ACL which grants SSH access from iron.wikimedia.org towards labs-hosts-b-eqiad1/labs-hosts-d-eqiad1 which isn't present for puppetmaster*/cumin* hosts? If there's such a rule we should carry it over to the ACLs for puppetmaster/cumin, as the eventual goal is to remove iron fully.