Packet: Whitelist traffic to open ports HTTP/HTTPS

[surajssd]

This feature is to allow a user to specify whitelisted ports to allow traffic coming to ingress. This might sound conter productive but it is a feature is used to protect the exposed cluster against DDoS attacks.

Cloudflare supports this feature where we can whitelist the IPs of the cloudflare and the traffic is proxied by Cloudflare.

Docs:

• https://support.cloudflare.com/hc/en-us/articles/201897700-Whitelisting-Cloudflare-IP-addresses
• https://www.cloudflare.com/ips/

[surajssd]

For implementing this think about "How to expose Ingress?" in such setups.

Do we make an entry of the Cloudflare proxy IP in the DNS and where does the Packet EIP fit in here?

[johananl]

I like the idea, however, we should also think about the wider implications of such a change. Also, ideally we should have it for all platforms with platform-specific implementation. For example, on Packet we can restrict source IPs of ingress traffic using GNPs, whereas on AWS we may want to use AWS SGs.

This functionality can be useful for any CDN, not just Cloudflare. CDNs typically expose an up-to-date list of their CIDRs in text form. Example: https://www.cloudflare.com/ips-v4

Lastly, I also want us to think about putting the logic for keeping the IPs up to date in a controller. Not doing so means that when the CDN adds a new block, traffic from the new IPs will be blackholed until a human updates the config.