On Fri, Oct 18, 2019 at 2:25 PM Bryan Davis <bd808@wikimedia.org> wrote:

> * It seems reasonable that DNS records for *.wmcloud.org should all
> relate to publicly routable addresses. Does it also seem reasonable
> that *.wikimedia.cloud DNS records should all relate to non-publicly
> routable addresses? If an address from a publically routable IPv4
> space is being used only to provide a service IP for a service that is
> 100% internal to Cloud VPS (like the example of the HAProxy cluster
> fronting a Kubernetes cluster inside the tools project) is it
> acceptable to create an A record in the *.wikimedia.cloud zone for
> that address?

yeah, that all sounds good to me.

> * Should we have a floating IP pool of non-publicly routable IPv4
> addresses for use cases where the service that is being provided is
> only intended to be internal to a single project or the Cloud VPS
> tenant network? Routable IPv4 addresses are a limited commodity, and
> currently Cloud VPS has a very small number of them available.

> One of the reasons that we are spending time discussing these things
> is that we hope to decide on a set of standards and practices which
> will make it easier to reason about use and maintenance of Cloud VPS.
> Towards that end, I think I would propose these answers to the new
> questions:

> * The *.wikimedia.cloud zone should only contain A records pointing to
> non-publicly routable IPv4 records. My reasoning for this is that it
> makes it easier to quickly think about the general threat model for a
> FQDN in this zone. If the FQDN ends in wikimedia.cloud, then the IP
> associated with that FQDN is not publically routable.

> * We should create a pool of floating ips using non-publicly routable
> IPv4 addresses for the explicit purpose of being used as service IPs
> for HA/LB systems within the Cloud VPS internal network. These service
> IPs would then be given FQDNs in the *.wikimedia.cloud zone without
> breaking the rule that all FQDNs ending in wikimedia.cloud are not
> publically routable.

> · We may have to adjust a lot of security groups if the new floating
> pool of private IPS is outside of the 172.16.0.0/21 subnet. If we
> carve it out as a subset of that CIDR then I *think* it requires
> careful changes to the existing "cloud-instances2-b-eqiad" subnet to
> cordon off a /24 or /25 block into a new neutron subnet that would be
> the source of the new pool and not part of the subnet that
> nova/neutron use to give out fixed IPs to instances. Hopefully Arturo
> or Jason can reason about the work and impact of this better than I
> can.

I wouldn't create another floating IP pool or make any changes to `cloud-instances2-b-eqiad` `172.16.0.0/21`
Reconfiguring this as an external network (floating IP requirement) would bring a lot of complexity with host routing, NAT rules, subnets and security groups.

Instead of using floating IPs for non-publicly routed subnets, I'd pre-allocate an IP address from that subnet, configure the front-end load balancer host's neutron ports with allowed address pairs, and use VRRP + keepalived to manage which host has the active virtual IP (VIP).

I can put together a simple prototype of this if there's any interest going down that path.

Regards,
Jason