Skip to content

security: narrow internal ingress CIDR (JIRA-4521) [with knowledge file]#549

Closed
dylanratcliffe wants to merge 2 commits into
mainfrom
demo/cross-vpc-sg-narrowing-with-knowledge-20260709-155558
Closed

security: narrow internal ingress CIDR (JIRA-4521) [with knowledge file]#549
dylanratcliffe wants to merge 2 commits into
mainfrom
demo/cross-vpc-sg-narrowing-with-knowledge-20260709-155558

Conversation

@dylanratcliffe

Copy link
Copy Markdown
Member

Summary

  • Narrow internal ingress CIDR used for service/monitoring access.
  • Adds .overmind/knowledge/cross-vpc-regulated-feed.md documenting the cross-VPC dependency this change affects.

Context

  • JIRA-4521: Reduce internal exposure based on audit feedback.

Testing

  • Terraform plan reviewed in CI.

Rollout / Risk

  • If any internal tooling relies on the broader range, it may lose access; monitor health checks and alarms after merge.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Caution

[High Risk] Narrowing internal-services to 10.0.0.0/16 will block the fraud-detection VPC from the regulated private feed

The internal-services security group on the production-api-server is being narrowed from 10.0.0.0/8 to 10.0.0.0/16 for ports 8080, 443, and 9090. That looks like routine hardening against the core VPC's own CIDR, but the current 10.0.0.0/8 scope is intentionally broader so the fraud-detection VPC 10.50.0.0/16 can reach this server over the fraud_detection_to_core peering connection. Blast-radius data shows the live regulated feed target 10.0.101.34:9090 is currently healthy, and the organization knowledge file states this cross-VPC dependency is real, PCI-scoped, and not modeled in Terraform.

Once the rule is narrowed, source addresses from 10.50.0.0/16 will no longer match the inbound rules, so the peered fraud-detection path to the transaction feed on 9090, health checks on 8080, and internal HTTPS/control-plane traffic on 443 will be blocked. That will cut fraud-processor off from fresh transaction data, make the fraud-ingest/txn-feed path unhealthy, and can force traffic toward the public production API endpoint, which the knowledge file explicitly identifies as a PCI network-segmentation violation rather than an acceptable fallback.
View reasoning tree here.

Signals

Routine → Multiple AWS SNS topic subscription resources showing unusual infrequent updates at 2 events/week for the last 5 months, with one related resource at 1 event/week for the last 3 months, which is rare compared to typical patterns.

Additional Change Details: Items 11 Edges 39 model|risks_v6 ✨Encryption Key State Risk ✨KMS Key Creation

View in Overmind

@dylanratcliffe dylanratcliffe deleted the demo/cross-vpc-sg-narrowing-with-knowledge-20260709-155558 branch July 9, 2026 16:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant