# what ? We are setting up our own cloud network. THe IP address of the network will be 10.9.0.0/16. This will only contain cloud machines and only the clouyd team will have access to it. this will be in the stp datacenter. # Why ? The reason we are trying to do this is because our compnay was hacked and we identied a risk where developers could access servers that cotain customer data. # Actions * Put new firewall in stp. (Done) * Upgrade firewall to 1.7.2 + install apps. (Done) * Setup to cloud network 10.7.0.0/16 in stp. (Done) * Give all these machines new IP addresses (Done) * We are going to move machines into this network. -- stp-p01-ansible1 (Done) -- htl-bacula3 ? -- 4 x jumpoff boxes (Done) -- hhq-p01-monitor1 -- hhq-p01-perf2 (done) -- hhq-p01-stats1 (done) -- stp-p01-cloud1 (Done) -- hhq-p01-sis1 (Done) -- hhq-p01-xenorch1 (Done) -- hhq-p01-cloudshare1 (Done) -- Keith-win (Done) * Setup openVPN Tunnel that only cloud_vpn group have access too. (Done) * Change all the nrpe configs to allow the new monitor1 IP address (Done) * Setup 2 new Freeipa server for dev. Move all hhq-p0X machines over to use it. -- We would import the current config from hhqfreeipa1 * Setup 2 new mdh + lon freeipa servers with just cloud users. * for the stats server how does scollector work + public graphs. * How does ITOM jobs work properly. (Done) * We need to build a cloud-p01-shares1 server (Done) * 84.207.236.38 -> 84.207.236.50 as the new public IP address. (Done) -- juniper firewall in US DC's (Done) -- Add to azure as a trusted IP address. (Already done) -- Add VPN Firewall rules + P2 for VPNS to cloud. (Done) -- Add firewall rules to prevent LAN to BETA connections (Done) -- Add firewall rules preventing all access into Cloud network. (Done) -- Setup wireguard into cloud for Keiths 2 machines with only access to either monitor1:443 or perf1:443 (Done) -- Setup jeffs wireguard to only allow access to his jump off box. (Done)