ThomasObenaus
commented
6 years ago Task
Write a script that takes the ip-ranges for the AWS-Services (AMAZON, EC2 + CLOUDFRONT) (see: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html) widens them to /16 and merges them accordingly in order to minimize the number of cidr-blocks and thus the number of routing-table rules.
Why
We want to restrict access of the nomad-masters (leader) to the internet. That's why they are inside a subnet that has only access to AWS services. This restriction is made by allowing only routes to AWS services a specified at: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
Problem - access to ECR needs a lot of the ip's specified at https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
Which results in more than 50 route-entries for a route-table. And the limit for route-tables is 50. Of course a limit increase can be requested, but due to potential performance impact it's not recommended to do so.
With https://github.com/MatthiasScholz/cos/issues/6 we solved the issue with widening the cidrs to /8. But as a long term solution we need to have more restricting cidr's (i.e. /16). But to generate these correctly (+ merge them) and optimal (least number of rules possible) we need a sophisticated script.