Skip to content

security: narrow internal ingress CIDR (JIRA-4521) #446

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dylanratcliffe wants to merge 1 commit into from
Closed

security: narrow internal ingress CIDR (JIRA-4521) #446

dylanratcliffe wants to merge 1 commit into from

Conversation

@dylanratcliffe
Copy link
Member

@dylanratcliffe dylanratcliffe commented Jan 8, 2026

Summary

  • Narrow internal ingress CIDR used for service/monitoring access.

Context

  • JIRA-4521: Reduce internal exposure based on audit feedback.

Testing

  • Terraform plan reviewed in CI.

Rollout / Risk

  • If any internal tooling relies on the broader range, it may lose access; monitor health checks and alarms after merge.

@github-actions
Copy link

github-actions bot commented Jan 8, 2026
edited
Loading

Overmind

Open in Overmind ↗

model|risks_v6
✨Frontend Team Review

🔴 Change Signals

Policies 🔴 ▃▂▁ Multiple policy violations detected, including missing tags and lack of server-side encryption on S3 bucket 'aws_s3_bucket.terraform-example-state-bucket', and a security risk with unrestricted SSH access in a security group.
Routine 🟢 Ingress resources showing regular updates with 1 event/day for the last 4 weeks and 2 events/day for the last day.

View signals ↗

🔥 Risks

Removing NewCo 20/21 /32 ingress from customer whitelist SG will block their HTTPS access to the API ❗Medium Open Risk ↗
This change deletes the 203.0.113.120/32 (NewCo 20) and 203.0.113.121/32 (NewCo 21) ingress entries on port 443 from the customer-api-access security group (sg-03cf38efd953aa056), which is attached to the production API server instance with public IP 13.134.236.98.

Because the instance’s network interface uses this customer whitelist and no other attached rule permits those external sources, NewCo hosts connecting from those IPs will be blocked at the security group. Their HTTPS connections will fail, resulting in customer-visible API outages for those addresses.

CIDR narrowing on internal-services SG will block cross‑VPC monitoring/NLB health checks to 10.0.101.240:9090 ❗Medium Open Risk ↗
Ingress on the internal-services security group is being narrowed from 10.0.0.0/8 to 10.0.0.0/16 for ports 8080, 443, and 9090. The production-api-server at 10.0.101.240 uses this group and is registered as an IP target on port 9090 in a monitoring NLB’s target group that lives in a peered VPC 10.50.0.0/16.

Once applied, source traffic from the monitoring VPC (10.50.x.x) will no longer match the 10.0.0.0/16 rule. The NLB’s TCP health checks and Prometheus-style scrapes to 10.0.101.240:9090 will be blocked, causing the target to be marked unhealthy and metrics collection to fail, reducing observability and hiding potential service degradation.

🟣 Expected Changes

~ ec2-security-group › sg-03cf38efd953aa056 
--- current
+++ proposed
@@ -176,18 +176,4 @@
       to_port: 443
     - cidr_blocks:
-        - 203.0.113.120/32
-      description: NewCo 20
-      from_port: 443
-      protocol: tcp
-      self: false
-      to_port: 443
-    - cidr_blocks:
-        - 203.0.113.121/32
-      description: NewCo 21
-      from_port: 443
-      protocol: tcp
-      self: false
-      to_port: 443
-    - cidr_blocks:
         - 203.0.113.16/30
       description: Acme Corp
~ ec2-security-group › sg-089e5107637083db5 
--- current
+++ proposed
@@ -15,5 +15,5 @@
   ingress:
     - cidr_blocks:
-        - 10.0.0.0/8
+        - 10.0.0.0/16
       description: Health check endpoint
       from_port: 8080
@@ -22,5 +22,5 @@
       to_port: 8080
     - cidr_blocks:
-        - 10.0.0.0/8
+        - 10.0.0.0/16
       description: Internal HTTPS - monitoring, service mesh, internal tools
       from_port: 443
@@ -29,5 +29,5 @@
       to_port: 443
     - cidr_blocks:
-        - 10.0.0.0/8
+        - 10.0.0.0/16
       description: Prometheus metrics scraping
       from_port: 9090

💥 Blast Radius

Items 56

Edges 208

github-actions[bot]
github-actions bot approved these changes Jan 8, 2026
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overmind

✅ Auto-Approved

🟢 Decision

Auto-approved: All safety checks passed

📊 Signals Summary

Routine 🟢 +1

🔥 Risks Summary

High 0 · Medium 1 · Low 0

💥 Blast Radius

Items 66 · Edges 224

View full analysis in Overmind ↗

github-actions[bot]
github-actions bot requested changes Jan 11, 2026
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overmind

⛔ Auto-Blocked

🔴 Decision

Auto-blocked: Policy signal (-3) is below threshold (-2)

📊 Signals Summary

Policies 🔴 -3

Routine 🟢 +1

🔥 Risks Summary

High 0 · Medium 2 · Low 0

💥 Blast Radius

Items 56 · Edges 208

View full analysis in Overmind ↗

@dylanratcliffe dylanratcliffe deleted the security/jira-4521-narrow-internal-cidr-20260108-150204 branch January 11, 2026 21:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dylanratcliffe