Merge pull request #2308 from alan-turing-institute/firewall_logs

Add firewall logs

data_safe_haven/infrastructure/programs/declarative_sre.py

@@ -163,12 +163,27 @@ def __call__(self) -> None:
             ),
         )
 
+        # Deploy monitoring
+        monitoring = SREMonitoringComponent(
+            "sre_monitoring",
+            self.stack_name,
+            SREMonitoringProps(
+                dns_private_zones=dns.private_zones,
+                location=self.config.azure.location,
+                resource_group_name=resource_group.name,
+                subnet=networking.subnet_monitoring,
+                timezone=self.config.sre.timezone,
+            ),
+            tags=self.tags,
+        )
+
         # Deploy SRE firewall
         SREFirewallComponent(
             "sre_firewall",
             self.stack_name,
             SREFirewallProps(
                 location=self.config.azure.location,
+                log_analytics_workspace=monitoring.log_analytics,
                 resource_group_name=resource_group.name,
                 route_table_name=networking.route_table_name,
                 subnet_apt_proxy_server=networking.subnet_apt_proxy_server,
@@ -209,20 +224,6 @@ def __call__(self) -> None:
             tags=self.tags,
         )
 
-        # Deploy monitoring
-        monitoring = SREMonitoringComponent(
-            "sre_monitoring",
-            self.stack_name,
-            SREMonitoringProps(
-                dns_private_zones=dns.private_zones,
-                location=self.config.azure.location,
-                resource_group_name=resource_group.name,
-                subnet=networking.subnet_monitoring,
-                timezone=self.config.sre.timezone,
-            ),
-            tags=self.tags,
-        )
-
         # Deploy the apt proxy server
         apt_proxy_server = SREAptProxyServerComponent(
             "sre_apt_proxy_server",

data_safe_haven/infrastructure/programs/sre/firewall.py

@@ -3,12 +3,13 @@
 from collections.abc import Mapping
 
 from pulumi import ComponentResource, Input, Output, ResourceOptions
-from pulumi_azure_native import network
+from pulumi_azure_native import insights, network
 
 from data_safe_haven.infrastructure.common import (
     get_address_prefixes_from_subnet,
     get_id_from_subnet,
 )
+from data_safe_haven.infrastructure.components import WrappedLogAnalyticsWorkspace
 from data_safe_haven.types import (
     FirewallPriorities,
     ForbiddenDomains,
@@ -23,6 +24,7 @@ class SREFirewallProps:
     def __init__(
         self,
         location: Input[str],
+        log_analytics_workspace: Input[WrappedLogAnalyticsWorkspace],
         resource_group_name: Input[str],
         route_table_name: Input[str],
         subnet_apt_proxy_server: Input[network.GetSubnetResult],
@@ -35,6 +37,7 @@ def __init__(
         subnet_workspaces: Input[network.GetSubnetResult],
     ) -> None:
         self.location = location
+        self.log_analytics_workspace = log_analytics_workspace
         self.resource_group_name = resource_group_name
         self.route_table_name = route_table_name
         self.subnet_apt_proxy_server_prefixes = Output.from_input(
@@ -331,6 +334,36 @@ def __init__(
             tags=child_tags,
         )
 
+        # Add diagnostic settings for firewall
+        # This links the firewall to the log analytics workspace
+        insights.DiagnosticSetting(
+            f"{self._name}_firewall_diagnostic_settings",
+            name="firewall_diagnostic_settings",
+            log_analytics_destination_type="Dedicated",
+            logs=[
+                {
+                    "category_group": "allLogs",
+                    "enabled": True,
+                    "retention_policy": {
+                        "days": 0,
+                        "enabled": False,
+                    },
+                },
+            ],
+            metrics=[
+                {
+                    "category": "AllMetrics",
+                    "enabled": True,
+                    "retention_policy": {
+                        "days": 0,
+                        "enabled": False,
+                    },
+                }
+            ],
+            resource_uri=firewall.id,
+            workspace_id=props.log_analytics_workspace.id,
+        )
+
         # Retrieve the private IP address for the firewall
         private_ip_address = firewall.ip_configurations.apply(
             lambda cfgs: "" if not cfgs else cfgs[0].private_ip_address

docs/source/management/logs.md

@@ -21,11 +21,30 @@ These include,
 - Gitea and Hedgedoc
 
 Logs from all containers are ingested into the [SREs log workspace](#log-workspace).
-There are two logs
+There are two tables,
 
 `ContainerEvents_CL`
 : Event logs for the container instance resources such as starting, stopping, crashes and pulling images.
 
 `ContainerInstanceLog_CL`
 : Container process logs.
 : This is where you can view the output of the containerised applications and will be useful for debugging problems.
+
+## Firewall logs
+
+The firewall plays a critical role in the security of a Data Safe Haven.
+It filters all outbound traffic through a set of FQDN rules so that each component may only reach necessary and allowed domains.
+
+Logs from the firewall are ingested into the [SREs log workspace](#log-workspace).
+There are multiple tables,
+
+`AZFWApplicationRule`
+: Logs from the firewalls FDQN filters.
+: Shows requests to the outside of the Data Safe Haven and why they have been approved or rejected.
+
+`AZFWDnsQuery`
+: DNS requests handled by the firewall.
+
+`AzureMetrics`
+: Various metrics on firewall utilisation and performance.
+: This table is not reserved for the firewall and other resources may log to it.