#682 Move vault.centos.org behind Cloufront caching
Closed: Fixed 8 months ago by arrfab. Opened 8 months ago by arrfab.

Per internal discussion with @bstinson , we'll probably have to move vault.centos.org behind cloudfront setup.
While discussion is happening internally, I just create a ticket here for infra and releng team and so for team awareness


Metadata Update from @zlopez:
- Issue tagged with: medium-gain, medium-trouble

8 months ago

It would need some managers approval due to potential high impact on budget and relation with AWS so closing as invalid for now and to be reopen by requestor with managers approval for risk mitigation

Metadata Update from @arrfab:
- Issue close_status updated to: Insufficient Data
- Issue status updated to: Closed (was: Open)

8 months ago

Metadata Update from @arrfab:
- Issue status updated to: Open (was: Closed)

8 months ago

Metadata Update from @arrfab:
- Issue assigned to arrfab

8 months ago

Metadata Update from @arrfab:
- Issue tagged with: centos-common-infra

8 months ago

Hi. My name is Anna. I am the manager of the Convert2RHEL team. I will collaborate with my director to procure the required budget. Currently trying to estimate the required budget so that we can correctly formulate the request. Just wanted to let you know that I know you need managerial approval and that I am working on it.

Metadata Update from @arrfab:
- Issue private status set to: True

8 months ago

Thanks it was discussed internally and we'll see how to work on it in the next days, with a potential plan to mitigate the bandwidth consumption, as last month it (with restrictions in place) sent out ~600TiB of data.

Metadata Update from @arrfab:
- Issue private status set to: False (was: True)

8 months ago

I have a plan, and started to work on it in parallel of the existing (and now working fine since last wednesday evening, since we mitigated the DDoS/attack on it) vault.centos.org setup, and we should be able to redirect to cloudfront setup next week (as kind of quick update)

vault.centos.org should currently be working as expected as there was a firewall update to block the IP range that was ddosing us.

We will now implement a cloudfront solution to avoid this issue in future cases. This should be in place on Monday

current status :

  • Origin node deployed with up2date content
  • Cloudfront distribution deployed
  • specific vault.centos.org TLS cert added now on Cloudfront distribution (we had to wait for them to process/validate)
  • Origin node protected to only allow content to be retrieved from cloudfront

https://vault.centos.org is so still "live" on existing infra but will be switched to cloudfront next monday, and the rest of the nodes being reconfigured by ansible as additional origin nodes in a new cloudfront origin group (to ensure redundancy)

https://vault.centos.org is now live on cloudfront/AWS and with now 3 origin nodes used in an origin group (redudancy)

Metadata Update from @arrfab:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

8 months ago

Login to comment on this ticket.

Metadata
Boards 1