Page MenuHomeDevCentral
Create Task
Maniphest T1616

Build a bastion - load balancers - private instances network topology
Open, NormalPublic
Actions

Description

Currently, a lot of servers have public IcannNet addresses.

This is not needed, as we can switch to a more secure network topology:

  • bastion: allow developers and operations to connect per SSH to other machines
  • load balancer: receive public IP to act as a reverse proxy or network balancer for traffic
  • back-end server: keep private IP

That would help to reduce the attack surface of services.

Revisions and Commits

rOPS Nasqueron Operations
AbandonedD2293 Provide a PaaS front-end role
D2672rOPS015557f0313e Prune salt-primary role on Ysul and WindRiver
D2596rOPS6deb32e01378 Set kernel state for router
D2566rOPSf9dbdab3b579 Configure IntraNought interface for RedHat servers
D2334rOPSd2434fa0cf3d Configure IntraNought interface for FreeBSD
D2330rOPS5750d01e83d2 Add router-001.nasqueron.org as router

Related Objects
Search...

Event Timeline

dereckson triaged this task as Normal priority.Jun 3 2020, 17:36
dereckson created this task.
dereckson added a parent task: Unknown Object (Maniphest Task).
dereckson added a revision: D2293: Provide a PaaS front-end role.Jun 3 2020, 17:43
dereckson added a revision: D2330: Add router-001.nasqueron.org as router.Sep 24 2020, 19:24
dereckson added a commit: rOPS5750d01e83d2: Add router-001.nasqueron.org as router.Sep 24 2020, 19:29
dereckson added a revision: D2334: Configure IntraNought interface for FreeBSD.Sep 24 2020, 20:48
dereckson added a commit: rOPSd2434fa0cf3d: Configure IntraNought interface for FreeBSD.Sep 24 2020, 20:48
dereckson added a revision: D2566: Configure IntraNought interface for RedHat servers.Mar 4 2022, 23:55
dereckson added a commit: rOPSf9dbdab3b579: Configure IntraNought interface for RedHat servers.Mar 5 2022, 00:08
dereckson added a revision: D2596: Set kernel state for router.Mar 22 2022, 18:18
dereckson added a commit: rOPS6deb32e01378: Set kernel state for router.
dereckson added a revision: D2672: Prune salt-primary role on Ysul and WindRiver.Apr 15 2022, 19:16
dereckson closed subtask T1619: Connect all baremetal servers to Drake network as Resolved.Apr 15 2022, 19:20

For Salt and Vault, we're already using the private network.

The last step is to switch the Docker engines to the private IP, so the Docker ports are bind there, and create one unified proxy (nginx or something else) for the different engines instead to have a nginx on each. That's well drafted in D2293.

dereckson added a commit: rOPS015557f0313e: Prune salt-primary role on Ysul and WindRiver.Apr 19 2022, 18:56
dereckson moved this task from Backlog to Not for this sprint on the Operations sprints (Consolidate them all) board.May 18 2023, 11:53
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator