Firewalling #128
Comments
|
... in addition to the EC2 ipranges from the region, since you're using public IP for access betweeen ansible nodes |
|
Good suggestion, thanks @bentterp |
|
@mglantz thanks. I can't do the ansible for it but the ip-ranges can be obtained like this curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.service=="EC2") | select(.region=="eu-west-1") | .ip_prefix' and for the conference roon wifi just curl http://checkip.amazonaws.com |
|
This is one option. |
teemu-u
added
enhancement
|
you'll still need to have student access to both giltlab and tower servers so they need public IP open and accessible. Creating an AWS security group for this using the ipranges and public ip of conference center is not that hard, and then you simply attach that security group to all the instances. |
|
This suggestion would exclude those who are forced to use corporate VPNs. |
|
This is true if the VPN cannot be disabled or configured with split tunneling. But the alternative which we saw yesterday was that a lot of students simply didn't have access to the unfiltered servers. IMNSHO, there should be little need of corporate VPN during a roadshow training. If the contents of your laptop are so sensitive that you need to have an always-on-filter-everything VPN, then consider using another laptop for going to conventions etc. If you're deploying the exercise yourself for internal trainings, then you can of course whitelist your company's ip-adresses. |
As you are in control of the Wifi providing access to the environment you can also know the public ip used to access the instances.
Given that, use AWS security groups to restrict access to the servers.
The text was updated successfully, but these errors were encountered: