Script to calculate cidr-blocks for egress_aws NatGW #7
Labels
enhancement
New feature or request
Comments
TaskWrite a script that takes the ip-ranges for the AWS-Services (AMAZON, EC2 + CLOUDFRONT) (see: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Why
We want to restrict access of the nomad-masters (leader) to the internet. That's why they are inside a subnet that has only access to AWS services. This restriction is made by allowing only routes to AWS services a specified at: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
Problem - access to ECR needs a lot of the ip's specified at https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
Which results in more than 50 route-entries for a route-table. And the limit for route-tables is 50.
Of course a limit increase can be requested, but due to potential performance impact it's not recommended to do so.
With #6 we solved the issue with widening the cidrs to /8. But as a long term solution we need to have more restricting cidr's (i.e. /16).
But to generate these correctly (+ merge them) and optimal (least number of rules possible) we need a sophisticated script.
The text was updated successfully, but these errors were encountered: