search

np-guard / vpc-network-config-analyzer

A tool for analyzing the configured network connectivity of VPCs as specified by various VPC resources
Apache License 2.0
6 stars 0 forks source link

filters split subnets with lb #619

Closed haim-kermany closed 1 day ago

haim-kermany commented 3 weeks ago

this PR handling cases where a filters splits the subnet cidr in such cases, we might need to create more than one private IP per subnet. the solution is by:

  1. collect all the cidr of filters rules
  2. create a disjoint blocks from the collected cidr
  3. using these blocks, for each subnet, split the subnet cidr to list of disjoint blocks.
  4. create a private ip for each subnet block
ShiriMoran commented 3 weeks ago

general question: to the best of my understanding, the process of finding atomic IPs w.r.t. ACL and SG is something we already do for defining Nodes in the VPC. Why not reuse it? @adisos

haim-kermany commented 3 weeks ago

comments from Adi:

  1. add warning if a subnet has more than one block
  2. reuse code from filters analyzer to get filters rules
haim-kermany commented 3 weeks ago

comments from Adi:

1. add warning if a subnet has more than one block

2. reuse code from filters analyzer to get filters rules

added the warning

I tried to use the code: ipBlocks := []*ipblock.IPBlock{} for _, f := range config.FilterResources { ipBlocks = append(ipBlocks, f.ReferencedIPblocks()...) } however, we have a conflict:

  1. to use this code, we need to parse the filters before we parse the load balancer.
    1. while parsing the filters, we need to apply the SG on the private IPs
adisos commented 2 weeks ago

handling cases where a filter split the subnet acl

please add description in the PR / issue how this is handled (input, output, etc)