Use separate security group for the API ELB

Question

Use separate security group for the API ELB

nhlfr opened this issue 7 years ago · 4 comments

Currently the API ELB is in the masters security group. Moving it to a separate security group means only the API ELB needs to be 0.0.0.0/0

This is part of the security changes but can be implemented before we restrict the port access.

Answer 1 · 2017-09-12T17:04:07.000Z

@rossf7 can you shed some light on this? Is this still valid?

Answer 2 · 2017-09-12T17:20:13.000Z

Yes, I think we still need this. This means only the API ELB needs to be 0.0.0.0/0 and we restrict the master node to connections from the ELB and workers sec groups.

Ping @teemow is this part of guest cluster lockdown?

Answer 3 · 2017-09-13T07:06:27.000Z

yes this is part of https://github.com/giantswarm/giantswarm/issues/1803

Answer 4 · 2017-09-13T07:44:26.000Z

Then lets close this one here.