ftp.debian.org - DSA machine deb.debian.org - fastly academic managed mirrors ftp.XX.debian.org Other mirrors CloudFront - created by jeb We should move it to our new account Azure - complete network of 57 instances, 28 regions Those are used for Azure images We hope to standardize, and use provider URLs for images on this providers We need names for mirrors. e.g. mirror.aws.debian.{org,net} or gce.mirror.debian.... Managed CNAME currently - debian-archive.trafficmanager.net We should keep mirrors for providers in this provider's network costs of ingress/egress traffic, avoiding MiTM, data soveiregnity, etc. Access to mirrors even from restricted networking TODO: get names for those mirrors from DSA/mirror team scripts for managing mirrors. In salsa under mirror team, waldi left the team Should we move them to Cloud team? Current Azure setup: 2 complete mirrors at each (large) region 3 categories of regions: * large - all services * smaller - only most important services We need to have mirrors at large regions, and maybe at some of smaller ones GCE - select 3 regions 2 mirrors at each, setup CDN Edge locality Availability scalable instances behind those Do we want to have ability to force locality? e.g. I'm in Germany, I want to make sure that I'm using european mirror using cloud front or instances? region-specific endpoint, or one global one Main reason - serve instance inside this region. Any other usage is nice to have jeb solution - good for external users, not good for internal one single point of origin, serialized access We could still try to use existing scripts Need to modernize Azure setup: traffic monitoring Some of those exist on GCE, but TerraForm does not support FTP, secrets, devices to store data on EC2 - missing: connect VPC between regions (VPC peering - access w/o authentication) Currently - only one point of entry for entire system (i.e. just one master mirror per cloud provider). Limit load on master FTP managed by DSA. Not so high availability, but we don't want to kill FTP master When this one master instance (or region) is down, we won't get new versions of packages but mirror network is still serving (potentially not up-to-date) packages Proposal - use ftp.us. to some regions, ftp.eu to other. But we use push, not pull And we want push from master ftp Next step: finish Azure integration Private endpoints dnssec - potential problem with private VPC we cannot take over this DNS response (and return private IP) in such a case Prefix?