On June 21, 2014, the hosting for www.stanford.edu website will be moved to Amazon Web Services (AWS). It will sit behind an AWS load-balancer which has dynamically allocated IP addresses outside of Stanford’s Network IP Address ranges. If you maintain a website that begins with www.stanford.edu/<sitepath> and you restrict firewall access either to or from that server (including limiting access to only Stanford IP space), note that you will need to update firewall rules related to your web server in order to allow access to sites from the AWS IP ranges. We believe this change will impact very few network firewalls, if any. We want to make this information available out of an abundance of caution.
You can verify whether your website is affected immediately by following the steps below.
If you do need to submit new firewall rules, please make sure to do so by Thursday, June 12th as firewall requests take one business day to process:
You can send firewall-related questions to:
firewall-team@lists.stanford.edu
What you need to do if you administer or approve firewall rules
Verify and test your site
The address www-aws.stanford.edu is up and running in AWS. You can test if you can reach that URL from the subnets where you have outgoing rules enforced. You can use a browser or command line tools such as curl and wget. If you get a “connection timeout” you will need to add AWS IP ranges in your outgoing rules. If you have specific questions regarding this process, please send an email to www-feedback@lists.stanford.edu.
Audit and update
Please take a quick audit of your firewall rules, and pay attention to any outgoing rules you may have for 171.67.215.200/32, which is the current IP for www.stanford.edu load-balancer service. You need to modify the rule to allow access to AWS’s IP address ranges (see below).
If you have outbound rules in your Stanford-provided templates permitting 'any' access to campus subnet, e.g. g_su_admin_nets, g_su_all_nets, but no specific http/https rules to allow http and https access to untrusted zones, your access to www.stanford.edu will be blocked after the June 21. You will need to add a rule to allow access to AWS’s IP address ranges.
List of AWS IP ranges you need to permit
Since the firewall rules are IP based, you cannot use the AWS’s load balancer name in the rule. You will need to open up all US West (Oregon) subnets for port 443/80 access.
For a list of AWS IP ranges, visit:
https://forums.aws.amazon.com/ann.jspa?annID=1701
AWS periodically updates this site, so make sure to revisit this site to update your outgoing firewall rules accordingly.
Why does this change affect network firewall rules
The www.stanford.edu URL will be behind an AWS load-balancer which has dynamically allocated IP addresses outside of Stanford campus network. Although the majority of departments DO NOT have any outbound policies configured to limit outgoing traffic to Stanford network only, we urge you check your firewall policies to make sure applications and users from your subnet can still access www.stanford.edu after the change.
