timckt
commented
1 month ago We shall back to this ticket and have team discussion on this after our vpc cni incident.
Open sj-williams opened 2 months ago
timckt
commented
1 month ago We shall back to this ticket and have team discussion on this after our vpc cni incident.
Background
If we want to wrap AWS Shield Advanced around our ingress NLBs, we need to rebuild the load balancers with a new EIP configuration.
How we might approach this needs considering as there are many ways we could handle:
Also, we have found that even if we do replace our NLB config with EIPs, the Shield options are very limited, and relies on passive AWS monitoring, we cannot attach our own WAF rules to NLB IPs. In contrast, using ALBs for our ingress would allow us to do these things.
Capture all of the details in a google doc (linked here), and the possible options we have to move this forward. Share with team for wider discussion (we probably need to setup a session for this).
Reference
How to write good user stories