Skip to content

security: narrow internal ingress CIDR (JIRA-4521)#522

Open
dylanratcliffe wants to merge 1 commit into
mainfrom
security/jira-4521-narrow-internal-cidr-20260611-140051
Open

security: narrow internal ingress CIDR (JIRA-4521)#522
dylanratcliffe wants to merge 1 commit into
mainfrom
security/jira-4521-narrow-internal-cidr-20260611-140051

Conversation

@dylanratcliffe

@dylanratcliffe dylanratcliffe commented Jun 11, 2026

Copy link
Copy Markdown
Member

Summary

  • Narrow internal ingress CIDR used for service/monitoring access.

Context

  • JIRA-4521: Reduce internal exposure based on audit feedback.

Testing

  • Terraform plan reviewed in CI.

Rollout / Risk

  • If any internal tooling relies on the broader range, it may lose access; monitor health checks and alarms after merge.

@github-actions

github-actions Bot commented Jun 11, 2026

Copy link
Copy Markdown

Warning

[Medium Risk] Narrowing internal-services ingress to 10.0.0.0/16 will block cross-network health checks, HTTPS, and metrics traffic

The internal-services security group 540044833068.eu-west-2.ec2-security-group.sg-089e5107637083db5 is narrowing ingress on 8080, 443, and 9090 from 10.0.0.0/8 to 10.0.0.0/16. The current VPC itself is 10.0.0.0/16, so this change stops all traffic from other private 10.x.x.x networks outside this VPC, including peered VPCs, hybrid links, and other environments that previously matched the broader rule.

Because this group is explicitly used for internal service mesh, monitoring, and health checks, the new CIDR will block legitimate health probes, internal HTTPS calls, and Prometheus scrapes from any non-local 10/8 source. That will cause service reachability regressions and observability gaps immediately after rollout.
View reasoning tree here.

Signals

Routine → Multiple network and compute resources are showing unusual routine changes at only 1-2 events/week for the last 4-5 months, while one resource recorded 2 events/day for the last day.

Additional Change Details: Items 14 Edges 41 model|risks_v6 ✨Encryption Key State Risk ✨KMS Key Creation

View in Overmind

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dylanratcliffe