Bug | NetworkAclEntryLimitExceeded for NACL in the shared account

binbashar / le-tf-infra-aws

Terraform code for Leverage Reference Architecture for AWS, designed under optimal configs for the most popular modern web and mobile applications needs.

https://www.binbash.co/leverage

Apache License 2.0

26 stars 8 forks source link

Bug | NetworkAclEntryLimitExceeded for NACL in the shared account #276

Open lgallard opened 3 years ago

lgallard commented 3 years ago

Describe the Bug

When adding more and more VPCs (apps-devstg, apps-devstg-eks, apps-devstg-eks-demoapss, apps-prd, apps-prd-eks, and so on) the 20 rules per NACL is reached in the shared account. The limit can be increased to 40 rules but it won't escale in the future.

This happens because each VPC's subnet CIDR is added instead of the VPC CIDR:

2021-07-08_16-21

Expected Behavior

Add VPC CIDR instead of each subnet CIDR

exequielrafaela commented 3 years ago

@lgallard Using subnets as NACLs source was by design to only allow private subnets to pass through vpc-peerings. We must not allow an EC2 instance in a public subnet to route traffic to private subnets in peered accounts. So we'll need to keep this in mind since if we add the complete VCP CIDR we'll break this least privilege security premise.

CC: @diego-ojeda-binbash

lgallard commented 3 years ago

@exequielrafaela @diego-ojeda-binbash take into account that current private subnet CIDR overlaps with the public CIDR:

To avoid this we must redefine the public subnet CIDR to [172.18.8.0/23, 172.18.10.0/23 ]

exequielrafaela commented 3 years ago

@lgallard Luis, great catch, and thanks for reporting this networking addressing here. As discussed we'll need to carefully program this update since we'll need to re-create the Pritunl VPN server in the new subnet segment address.

CC: @diego-ojeda-binbash