Page MenuHomePhabricator

CloudVPS: detail list of dmz_cidr optional NAT addresses to avoid reaching everything in production with internal private VM addresses
Closed, ResolvedPublic

Description

I noticed that diffscan (runs on a Cloud VM and does a network scan of all Wikimedia public ranges) hits all those public IPs with its internal IP 172.16.2.185.

Until now I thought that NOT doing NAT, was an exception given on a per VM basis, as it was against best practices to "leak" 172.16.0.0/21 IPs even though necessary for some VMs due to historical reasons.

Is it possible to change that behavior to NAT by default?
And thus only allow in prod 172.16.0.0/21 IPs that really need to be seen as such.

I'd say this is the first step to T209082 and by consequence T209011.

Event Timeline

ayounsi triaged this task as Medium priority.Nov 12 2020, 9:22 AM
ayounsi created this task.
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Change 651169 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] [DONT MERGE] cloud: expand dmz_cidr list for public endpoints

https://gerrit.wikimedia.org/r/651169

aborrero renamed this task from CloudVPS: don't bypass Neutron NAT by default to CloudVPS: detail list of dmz_cidr optional NAT addresses to avoid reaching everything in production with internal private VM addresses.Dec 21 2020, 12:49 PM
aborrero added a parent task: Restricted Task.

Change 651169 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] cloud: expand dmz_cidr list for public endpoints

https://gerrit.wikimedia.org/r/651169

Mentioned in SAL (#wikimedia-cloud) [2021-01-07T11:35:29Z] <arturo> merging dmz_cidr change (T209082, T267779)