Ref Arch - CIS - what are acceptable CIDRs / IP address ranges for IPAllowList?

[zackproser]

A customer asked:

We purchased a CIS-compliant Reference Architecture, and now I'm not sure what I should fill in for the IPAllowList in the reference-architecture-form.yml.

[zackproser]

Since you're using the CIS ref arch flavor, you need to ensure that you do not leave the default wide-open cidr of 0.0.0.0/0. If you forget, and submit this value anyway, our tooling will detect this and prevent your deployment from proceeding.

The CIDR that is entered here will control who can access your Bastion host and, therefore, your private resources.

The IPAllowList accepts multiple CIDRs, each on one line, like so:

IPAllowList:
  - "198.51.100.0/22" # Our shared office IP CIDR
  - "209.101.58.91/32" # Engineer #1's home office IP address

If you're entering a single IP address, such as your static home office IP address, add the /32 network prefix to the end, like this: 209.101.58.91/32.

You can mix and match CIDRs as needed. You might enter the range for your corporate office or VPN, and several of your engineers' home IP addresses.

You can always add and remove CIDRs later as needed, but anyone whose IP range or specific IP address is not defined in this list won't initially be able to access your Ref Arch environment / resources.