Our new production VPC (Virtual Private Cloud) is ready to be populated, and we need your help to define new security groups (a.k.a. AWS statefull firewall) for our applications before we start migrating our servers from depprecated and insecure EC2 Classic environment into our new production VPC.
The goal of this project is to enable required network connectivity between our services using principle of least privelege. That means servers will be given network access only to ports and servers they actually require access to and nothing else.
To avoid service interruptions, @site-infra team will attempt to collect connectivity requirements in advance from teams in charge of applications and will try to schedule all security group changes during release windows to reduce impact of possible misconfigurations.
We have already gathered some infromation in these pages, however some of it is already out of date and likely incomplete. You are encouraged to review and update these pages with actual connectivity requirements. In addition, we will use infromation collected by Ryan in this spradsheet.
We greatly appreciate and are looking forward to your help in making our production infrastructure more secure and reliable. Feel free to reach out to @site-infra team on our #site-infra-channel if you have any questions or suggestions, or comment on this post.