Don't route S3 traffic to a nat-gateway (#423)

* Custom routing to predefined NAT when run in DMZ without public ip We have a use-case when we want to run instances in DMZ or public subnet but without public ips. Elastic ip would be assigned later to one of the instances. Without public ip instance will not be able to initialize (download docker, push logs, use AWS api, etc...). To solve this problem we need to create a separate routing table for outgoing https traffic. Such traffic would be routed to a custom nat gateway. Mappings between subnets and nat gateways would come from UserData and populated by senza. * Don't route S3 traffic to a nat-gateway We have S3 endpoint configured in every account.
zalando-stups · Jul 14, 2017 · e4c7dc3 · e4c7dc3
1 parent 8891948
commit e4c7dc3
Showing 1 changed file with 22 additions and 4 deletions.
diff --git a/runtime/opt/taupage/init.d/00-create-custom-routing.py b/runtime/opt/taupage/init.d/00-create-custom-routing.py
@@ -31,15 +31,21 @@ def main():
     if not nat_gateways or not isinstance(nat_gateways, dict):  # nat gateways must be non empty dictionary
         sys.exit(0)
 
-    METADATA_URL = 'http://169.254.169.254/latest/meta-data/network/interfaces/macs/'
+    METADATA_URL = 'http://169.254.169.254/latest/meta-data/'
     try:
-        r = requests.get(METADATA_URL)
-        mac = r.text.split()[0]
-        r = requests.get(METADATA_URL + mac + 'subnet-id')
+        r = requests.get(METADATA_URL + 'placement/availability-zone')
+        region = r.text.strip()[:-1]
+        logging.info('Region=%s', region)
+
+        r = requests.get(METADATA_URL + 'mac')
+        mac = r.text.strip()
+
+        r = requests.get(METADATA_URL + 'network/interfaces/macs/' + mac + '/subnet-id')
         subnet = r.text
         if subnet not in nat_gateways:
             logging.warning('Can not find subnet %s in the nat_gateways mapping', subnet)
             sys.exit(0)
+
         logging.info('Will use %s nat gateway for outgoing https traffic', nat_gateways[subnet])
     except Exception:
         logging.exception('Failed to read metadata')
@@ -62,6 +68,18 @@ def main():
 
     subprocess_call(['ip', 'route', 'add', 'default', 'via', nat_gateways[subnet], 'table', 'https'])
 
+    # S3 is exceptional, it has it's own endpoint in VPC
+    try:
+        r = requests.get('https://ip-ranges.amazonaws.com/ip-ranges.json')
+        ranges = [e['ip_prefix'] for e in r.json()['prefixes']
+                  if e['service'] == 'S3' and e['region'] == region and 'ip_prefix' in e]
+    except Exception:
+        logging.exception('Failed to load ip-ranges.json')
+
+    # Don't mark outgoing traffic to S3
+    for r in ranges:
+        subprocess_call(['iptables', '-t', 'mangle', '-I', 'OUTPUT', '-d', r, '-j', 'ACCEPT'])
+
 
 if __name__ == '__main__':
     main()