Skip to content

security: narrow internal ingress CIDR (JIRA-4521)#550

Open
dylanratcliffe wants to merge 1 commit into
mainfrom
security/jira-4521-narrow-internal-cidr-20260709-165156
Open

security: narrow internal ingress CIDR (JIRA-4521)#550
dylanratcliffe wants to merge 1 commit into
mainfrom
security/jira-4521-narrow-internal-cidr-20260709-165156

Conversation

@dylanratcliffe

Copy link
Copy Markdown
Member

Summary

  • Narrow internal ingress CIDR used for service/monitoring access.

Context

  • JIRA-4521: Reduce internal exposure based on audit feedback.

Testing

  • Terraform plan reviewed in CI.

Rollout / Risk

  • If any internal tooling relies on the broader range, it may lose access; monitor health checks and alarms after merge.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Caution

[High Risk] Ingress narrowing will block cross-VPC NLB traffic and health checks to the transaction-feed target

The change narrows ingress on sg-089e5107637083db5 from 10.0.0.0/8 to 10.0.0.0/16 for ports 8080, 443, and 9090, but the affected production-api-server at 10.0.101.34 is serving a TCP target group behind the internal Network Load Balancer fraud-ingest-terraform-example that lives in a different VPC with CIDR 10.50.0.0/16.

Because this NLB has no security group, AWS requires the target to allow traffic and health checks from the load balancer’s private IPs or VPC CIDR. After the rule is narrowed, traffic from the NLB nodes and other internal consumers in 10.50.0.0/16 will be blocked on 9090, and the same narrowing can also cut off internal HTTPS and health-check access on 443 and 8080. The txn-feed-terraform-example target will fail TCP health checks, be marked unhealthy, and traffic forwarded by the listener on port 9090 through the fraud-ingest DNS name will stop reaching the backend.
View reasoning tree here.

Caution

[High Risk] Narrowing port 9090 ingress to 10.0.0.0/16 will cut off the PCI fraud-detection feed from the peered 10.50.0.0/16 VPC

The security group sg-089e5107637083db5 is tightening port 9090 from 10.0.0.0/8 to 10.0.0.0/16, but the regulated transaction feed is fronted by the internal NLB fraud-ingest-terraform-example in peer VPC vpc-096b686376892bb49, whose CIDR is 10.50.0.0/16. The feed target remains the instance interface at 10.0.101.34, and AWS evaluates the inbound rule against the source private IP of that peered traffic.

When this change applies, requests from the fraud-detection VPC will no longer match the port 9090 ingress rule, so the PCI feed consumers will be unable to connect to the transaction feed. That will break the cross-VPC regulated feed path even though the target is healthy today.
View reasoning tree here.

Signals

Routine → Multiple AWS SNS topic subscription resources showing unusual infrequent updates at 2 events/week for the last 5 months, with one related resource at 1 event/week for the last 3 months, which is rare compared to typical patterns.

Additional Change Details: Items 19 Edges 50 model|risks_v6 ✨Encryption Key State Risk ✨KMS Key Creation

View in Overmind

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant