RE: Ingress filtering from an external cloud service to the internal network

[James Breeden <James () arenalgroup co>]

Is it possible for you to get a private/direct connect service from your network perimeter to the cloud provider and 
eliminate using the public connectivity? 

Or because its Internet-based you have to use public connectivity? 

James W. Breeden
Managing Partner


Arenal Group: Arenal Consulting Group | Acilis Telecom | Pines Media
PO Box 1063 | Smithville, TX 78957
Email: james () arenalgroup co | office 512.360.0000 | www.arenalgroup.co



-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Torres, Matt
Sent: Thursday, May 4, 2017 7:47 AM
To: nanog () nanog org
Subject: Ingress filtering from an external cloud service to the internal network

NANOG,

We have a hybrid cloud model that includes an external cloud service that needs to reach back into our internal 
network. The application documentation states that this connection cannot go through a proxy server. I am not in a 
position to redesign this solution or change the parameters. My question to NANOG is how to manage (filter/secure) the 
ingress traffic from the external cloud service. Past network guy managed inbound firewall rules based on the 
cloud-providers source IP address, but this wasn't sustainable and led to multiple outages as the external (source) IP 
has changed from time to time. I can define the destination ports well enough, but not the source IP addresses.

Any ideas on how I can filter this type of inbound traffic from an internet-based service?

Thanks
Matt