I have recently been configuring squid proxy behind loadbalancer, in order for squid to allow incoming PROXY protocol connections from loadbalancer, I quickly decided easiest option would be either whole vpc CIDR range:
acl loadbalancer src 10.139.0.0/17 proxy_protocol_access allow loadbalancer
or list of subnets from 3 AZs where loadbalancer is running:
acl loadbalancer src 10.139.64.64/28 10.139.64.96/28 10.139.64.80/28 proxy_protocol_access allow loadbalancer
Even though both configurations are valid, my pull request quickly caught attention of more experienced in networking(in fact ex CCNP guy) colleague of mine. But that is the beauty of modern operations teams working in devops fashion, while he may catch this sort of issues, I (ex developer guy) for instance can easily spot how duplication in piece of bash or python code could be avoided by refactoring it into a reusable function/template.
So back to our problem, as I said, while both ranges are valid, first in fact is much wider than actually required, and second is too redundant.
Enter supernetting.
So what is that?
Comments closed