I noticed that diffscan (runs on a Cloud VM and does a network scan of all Wikimedia public ranges) hits all those public IPs with its internal IP 172.16.2.185.
Until now I thought that NOT doing NAT, was an exception given on a per VM basis, as it was against best practices to "leak" 172.16.0.0/21 IPs even though necessary for some VMs due to historical reasons.
Is it possible to change that behavior to NAT by default?
And thus only allow in prod 172.16.0.0/21 IPs that really need to be seen as such.
I'd say this is the first step to T209082 and by consequence T209011.