Skip to content

security: narrow internal ingress CIDR (JIRA-4521) [with knowledge file]#551

Open
dylanratcliffe wants to merge 2 commits into
mainfrom
demo/cross-vpc-sg-narrowing-with-knowledge-20260709-165531
Open

security: narrow internal ingress CIDR (JIRA-4521) [with knowledge file]#551
dylanratcliffe wants to merge 2 commits into
mainfrom
demo/cross-vpc-sg-narrowing-with-knowledge-20260709-165531

Conversation

@dylanratcliffe

Copy link
Copy Markdown
Member

Summary

  • Narrow internal ingress CIDR used for service/monitoring access.
  • Adds .overmind/knowledge/cross-vpc-regulated-feed.md documenting the cross-VPC dependency this change affects.

Context

  • JIRA-4521: Reduce internal exposure based on audit feedback.

Testing

  • Terraform plan reviewed in CI.

Rollout / Risk

  • If any internal tooling relies on the broader range, it may lose access; monitor health checks and alarms after merge.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Caution

[High Risk] CIDR narrowing will cut off the fraud-detection VPC from the regulated transaction feed

The change narrows the internal-services security group on the core production-api-server from 10.0.0.0/8 to 10.0.0.0/16 for ports 8080, 443, and 9090. That server currently backs the txn-feed-terraform-example target group at 10.0.101.34:9090, while the consuming fraud-ingest NLB and fraud-processor workload sit in the peered fraud-detection VPC 10.50.0.0/16. Because the peered source addresses are 10.50.x.x, this change removes the only approved ingress path those consumers use today.

After apply, traffic from the fraud-detection VPC to the regulated feed on port 9090 will be dropped by the security group, and the NLB’s own health checks from its private IPs in 10.50.0.0/16 can be dropped as well. That will make the current healthy target 10.0.101.34:9090 unreachable or unhealthy from the fraud side, breaking the cross-VPC PCI transaction feed and causing stale or missing fraud scoring while the core API remains otherwise healthy.
View reasoning tree here.

Caution

[High Risk] Narrowing the API server ingress CIDR will cut off the fraud-detection PCI feed and leave only a non-approved public fallback

The internal-services security group on the production API server is narrowing its ingress rules on ports 8080, 443, and most critically 9090 from 10.0.0.0/8 to 10.0.0.0/16. That removes 10.50.0.0/16, which is the fraud-detection VPC reached over the active peering connection, even though the fraud-processor depends on that private path to consume the regulated transaction feed through the internal fraud-ingest NLB and txn-feed target group.

When this rule changes, traffic from fraud-detection to the API server on port 9090 will be blocked at the API server security group, and the feed the Risk team uses for near-real-time scoring will stop. Because the only remaining reachable endpoint on the API side is the public EIP-backed endpoint, any emergency workaround that sends this PCI-scoped feed over the public path would violate the approved network segmentation for regulated data in addition to causing unreliable feed delivery.
View reasoning tree here.

Signals

Routine → Multiple AWS SNS topic subscription resources showing unusual infrequent updates at 2 events/week for the last 5 months, with one related resource at 1 event/week for the last 3 months, which is rare compared to typical patterns.

Additional Change Details: Items 31 Edges 96 model|risks_v6 ✨Encryption Key State Risk ✨KMS Key Creation

View in Overmind

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant