[batch] Allow private job network traffic to internal IPs (hail-is#13036

)
ehigham · May 11, 2023 · 2da08af · 2da08af
1 parent 0bd6a49
commit 2da08af
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/batch/batch/cloud/gcp/driver/create_instance.py b/batch/batch/cloud/gcp/driver/create_instance.py
@@ -268,10 +268,14 @@ def scheduling() -> dict:
 iptables --append FORWARD --destination $INTERNAL_GATEWAY_IP --jump ACCEPT
 # And this worker
 iptables --append FORWARD --destination $IP_ADDRESS --jump ACCEPT
-# Forbid outgoing requests to cluster-internal IP addresses
+# Allow traffic going to the internet
 INTERNET_INTERFACE=$(ip link list | grep ens | awk -F": " '{{ print $2 }}')
 iptables --append FORWARD --out-interface $INTERNET_INTERFACE ! --destination 10.128.0.0/16 --jump ACCEPT
 
+# [private]
+# Allow all traffic from the private job network
+iptables --append FORWARD --source 172.20.0.0/16 --jump ACCEPT
+
 {make_global_config_str}
 
 # retry once