Open lgallard opened 3 years ago
@lgallard Using subnets as NACLs source was by design to only allow private subnets to pass through vpc-peerings. We must not allow an EC2 instance in a public subnet to route traffic to private subnets in peered accounts. So we'll need to keep this in mind since if we add the complete VCP CIDR we'll break this least privilege security premise.
CC: @diego-ojeda-binbash
@exequielrafaela @diego-ojeda-binbash take into account that current private subnet CIDR overlaps with the public CIDR:
To avoid this we must redefine the public subnet CIDR to [172.18.8.0/23, 172.18.10.0/23 ]
@lgallard Luis, great catch, and thanks for reporting this networking addressing here. As discussed we'll need to carefully program this update since we'll need to re-create the Pritunl VPN server in the new subnet segment address.
CC: @diego-ojeda-binbash
Describe the Bug
When adding more and more VPCs (apps-devstg, apps-devstg-eks, apps-devstg-eks-demoapss, apps-prd, apps-prd-eks, and so on) the 20 rules per NACL is reached in the
shared
account. The limit can be increased to 40 rules but it won't escale in the future.This happens because each VPC's subnet CIDR is added instead of the VPC CIDR:
Expected Behavior
Add VPC CIDR instead of each subnet CIDR