Allow LB health checks to reach the consul API port
This will allow us to replace the current simple TCP ping health check for a health check reaching to Consul's API endpoint, which should give more reliable informationn on whether the service is healthy.
The firewall rule that blocks the Consul API port and makes this exception necessary comes from https://gitlab.com/gitlab-com/gl-security/security-operations/sirt/operations/-/issues/279. Implementing the exception this way was discussed with the security team in slack https://gitlab.slack.com/archives/CM74JMLTU/p1625843529055000.
Terraform merge-request checklist
- Has a gitlab.com issue link in the description
- Plan has been reviewed and has no unexpected changes
Cloudflare Page Rules
- Has the same change been made in staging? How long has it been running in staging?
- Is this rule in the right order of most specific to least specific (top to bottom)?
- Is this change as granular as possible and broad as necessary?
- Use example.com instead of *example.com for matching HTTP and HTTPS traffic.
- New/changed forwarding page rules are not susceptible to redirect loop(s)
- Is the priority correct? Higher numbers in terraform represent a lower match order in the web interface.