[194501] in North American Network Operators' Group
RE: Ingress filtering from an external cloud service to the internal
daemon@ATHENA.MIT.EDU (James Breeden)
Thu May 4 11:28:06 2017
X-Original-To: nanog@nanog.org
From: James Breeden <James@arenalgroup.co>
To: "Torres, Matt" <matt.torres@state.or.us>, "nanog@nanog.org"
<nanog@nanog.org>
Date: Thu, 4 May 2017 15:26:49 +0000
In-Reply-To: <4E275B0B9F6F5445ACE48FBBB2AC3B14CAD3BEC0@ExchMBXProd02.win.lottery.state.or.us>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Is it possible for you to get a private/direct connect service from your ne=
twork perimeter to the cloud provider and eliminate using the public connec=
tivity?=20
Or because its Internet-based you have to use public connectivity?=20
James W. Breeden
Managing Partner
Arenal Group: Arenal Consulting Group | Acilis Telecom | Pines Media
PO Box 1063 | Smithville, TX 78957
Email: james@arenalgroup.co | office 512.360.0000 | www.arenalgroup.co
-----Original Message-----
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Torres, Matt
Sent: Thursday, May 4, 2017 7:47 AM
To: nanog@nanog.org
Subject: Ingress filtering from an external cloud service to the internal n=
etwork
NANOG,
We have a hybrid cloud model that includes an external cloud service that n=
eeds to reach back into our internal network. The application documentation=
states that this connection cannot go through a proxy server. I am not in =
a position to redesign this solution or change the parameters. My question =
to NANOG is how to manage (filter/secure) the ingress traffic from the exte=
rnal cloud service. Past network guy managed inbound firewall rules based o=
n the cloud-providers source IP address, but this wasn't sustainable and le=
d to multiple outages as the external (source) IP has changed from time to =
time. I can define the destination ports well enough, but not the source IP=
addresses.
Any ideas on how I can filter this type of inbound traffic from an internet=
-based service?
Thanks
Matt
