Security Groups¶
To increase security, additional security groups are added. Each type of resource has their own group (bastion, gitlab-rails, gitaly, etc.). Only traffic which is needed for the cluster to function properly is allowed. For example, HTTP access to the monitor node is only allowed from the public ALB.
There are too many rules to list here. For a complete list,
see glh_security.tf.
VPC traffic filters¶
Ingress traffic¶
Traffic entering the VPC is routed through load balancers. We only allow SSH and HTTP(S) and the security groups attached to these load balancers let you filter which traffic can enter the VPC. You can control the (default) allowed sources of each traffic type using the following variables.
| Name | Default | Description |
|---|---|---|
default_allowed_ingress_cidr_blocks |
["0.0.0.0/0"] |
Default allowed ingress sources |
ssh_allowed_ingress_cidr_blocks |
[] |
Allowed SSH ingress sources, defaults to default_allowed_ingress_cidr_blocks |
http_allowed_ingress_cidr_blocks |
[] |
Allowed HTTP(S) ingress destinations, defaults to default_allowed_ingress_cidr_blocks |
Egress traffic¶
All EC2 nodes are part of a common security group which filters egress traffic leaving the VPC. In order to harden
security, we only allow DNS, HTTP(S) and NTP traffic to egress from the VPC. By default, the allowed traffic is able to
visit 0.0.0.0/0 (i.e. the whole internet). You can control the (default) allowed destinations of each traffic type
using the following variables.
| Name | Default | Description |
|---|---|---|
default_allowed_egress_cidr_blocks |
["0.0.0.0/0"] |
Default allowed egress destinations |
dns_allowed_egress_cidr_blocks |
[] |
Allowed DNS egress destinations, defaults to default_allowed_egress_cidr_blocks |
http_allowed_egress_cidr_blocks |
[] |
Allowed HTTP(S) egress destinations, defaults to default_allowed_egress_cidr_blocks |
ntp_allowed_egress_cidr_blocks |
[] |
Allowed NTP egress destinations, defaults to default_allowed_egress_cidr_blocks |