Re: Global networking change in our AWS accounts
Hi
On Wed, Nov 17, 2021 at 08:01:55AM -0300, Antonio Terceiro wrote:
> For ci, we are working with the security team on testing embargoed
> security updates, and for that we need a unique IP address, because it
> will be added to an ACL on the security repository side.
You mean via https://security-master.debian.org/debian-security-buildd?
> I would like the central server to have its unique public IPv4 address
> for this.
None of the IP addresses you can assign are actually stable. The best
approximation comes in form of a complete IPv6 subnet, aka a /64 where
only your stuff with security access runs.
> > - IPv4 incoming will _not_ work with a public IP assigned to an
> > instance, and
> > - IPv4-only or (better) dual-stack network load balancers can be used
> > for stuff like HTTP access for users.
> This means that all incoming HTTP access has to go through the admins
> first. Is there a way to do this without creating a bottleneck or a
> SPoF?
I have not decided how that should work. Actually I added the
permissions required to manage load balancers. We can however also
pre-create it and only let you decide where to route the traffic.
Bastian
--
Love sometimes expresses itself in sacrifice.
-- Kirk, "Metamorphosis", stardate 3220.3
Reply to: