Skip to content

Commit

Permalink
Merge pull request #1781 from craddm/update-network-rules
Browse files Browse the repository at this point in the history
Update firewall rules to parity with 4.2.0
  • Loading branch information
jemrobinson authored Apr 15, 2024
2 parents 38e8d97 + 9cde223 commit 64eea3d
Showing 1 changed file with 16 additions and 118 deletions.
134 changes: 16 additions & 118 deletions data_safe_haven/infrastructure/stacks/shm/firewall.py
Original file line number Diff line number Diff line change
Expand Up @@ -115,96 +115,14 @@ def __init__(
],
source_addresses=[props.subnet_identity_servers_iprange],
target_fqdns=[
"*.blob.core.windows.net",
"*.servicebus.windows.net",
"aadconnecthealth.azure.com",
"adhsprodncuaadsynciadata.blob.core.windows.net",
"adhsprodwcuaadsynciadata.blob.core.windows.net",
"adhsprodweuaadsynciadata.blob.core.windows.net",
"adhsprodweuehsyncia.servicebus.windows.net",
"adhsprodwusaadsynciadata.blob.core.windows.net",
"adhssyncprodpksweu.servicebus.windows.net",
"adminwebservice.microsoftonline.com",
"pksproddatastoreeus101.blob.core.windows.net",
"pksproddatastoreeus102.blob.core.windows.net",
"pksproddatastoreeus103.blob.core.windows.net",
"pksproddatastoreeus104.blob.core.windows.net",
"pksproddatastoreeus105.blob.core.windows.net",
"pksproddatastoreeus106.blob.core.windows.net",
"pksproddatastoreeus107.blob.core.windows.net",
"pksproddatastoreeus108.blob.core.windows.net",
"pksproddatastoreeus109.blob.core.windows.net",
"pksproddatastoreeus111.blob.core.windows.net",
"pksproddatastoreeus112.blob.core.windows.net",
"pksproddatastoreeus113.blob.core.windows.net",
"pksproddatastoreeus114.blob.core.windows.net",
"pksproddatastoreeus115.blob.core.windows.net",
"pksproddatastoreeus116.blob.core.windows.net",
"pksproddatastoreeus117.blob.core.windows.net",
"pksproddatastoreeus118.blob.core.windows.net",
"pksproddatastoreeus119.blob.core.windows.net",
"pksproddatastoreeus120.blob.core.windows.net",
"pksproddatastorencu101.blob.core.windows.net",
"pksproddatastorencu102.blob.core.windows.net",
"pksproddatastorencu103.blob.core.windows.net",
"pksproddatastorencu104.blob.core.windows.net",
"pksproddatastoreneu101.blob.core.windows.net",
"pksproddatastoreneu102.blob.core.windows.net",
"pksproddatastoreneu103.blob.core.windows.net",
"pksproddatastoreneu104.blob.core.windows.net",
"pksproddatastoreneu105.blob.core.windows.net",
"pksproddatastoreneu106.blob.core.windows.net",
"pksproddatastoreneu107.blob.core.windows.net",
"pksproddatastoreneu108.blob.core.windows.net",
"pksproddatastoreneu109.blob.core.windows.net",
"pksproddatastoreneu110.blob.core.windows.net",
"pksproddatastoreneu111.blob.core.windows.net",
"pksproddatastoreneu112.blob.core.windows.net",
"pksproddatastoreneu113.blob.core.windows.net",
"pksproddatastoreneu114.blob.core.windows.net",
"pksproddatastoreneu115.blob.core.windows.net",
"pksproddatastoreneu116.blob.core.windows.net",
"pksproddatastoreneu117.blob.core.windows.net",
"pksproddatastoreneu118.blob.core.windows.net",
"pksproddatastoreneu119.blob.core.windows.net",
"pksproddatastoreneu120.blob.core.windows.net",
"pksproddatastoreweu101.blob.core.windows.net",
"pksproddatastoreweu102.blob.core.windows.net",
"pksproddatastoreweu103.blob.core.windows.net",
"pksproddatastoreweu104.blob.core.windows.net",
"pksproddatastoreweu105.blob.core.windows.net",
"pksproddatastoreweu106.blob.core.windows.net",
"pksproddatastoreweu107.blob.core.windows.net",
"pksproddatastoreweu108.blob.core.windows.net",
"pksproddatastoreweu109.blob.core.windows.net",
"pksproddatastoreweu110.blob.core.windows.net",
"pksproddatastoreweu111.blob.core.windows.net",
"pksproddatastoreweu112.blob.core.windows.net",
"pksproddatastoreweu113.blob.core.windows.net",
"pksproddatastoreweu114.blob.core.windows.net",
"pksproddatastoreweu115.blob.core.windows.net",
"pksproddatastoreweu116.blob.core.windows.net",
"pksproddatastoreweu117.blob.core.windows.net",
"pksproddatastoreweu118.blob.core.windows.net",
"pksproddatastoreweu119.blob.core.windows.net",
"pksproddatastoreweu120.blob.core.windows.net",
"pksproddatastorewus101.blob.core.windows.net",
"pksproddatastorewus102.blob.core.windows.net",
"pksproddatastorewus103.blob.core.windows.net",
"pksproddatastorewus104.blob.core.windows.net",
"pksproddatastorewus105.blob.core.windows.net",
"pksproddatastorewus106.blob.core.windows.net",
"pksproddatastorewus107.blob.core.windows.net",
"pksproddatastorewus108.blob.core.windows.net",
"pksproddatastorewus109.blob.core.windows.net",
"pksproddatastorewus111.blob.core.windows.net",
"pksproddatastorewus112.blob.core.windows.net",
"pksproddatastorewus113.blob.core.windows.net",
"pksproddatastorewus114.blob.core.windows.net",
"pksproddatastorewus115.blob.core.windows.net",
"pksproddatastorewus116.blob.core.windows.net",
"pksproddatastorewus117.blob.core.windows.net",
"pksproddatastorewus118.blob.core.windows.net",
"pksproddatastorewus119.blob.core.windows.net",
"pksproddatastorewus120.blob.core.windows.net",
"s1.adhybridhealth.azure.com",
"umwatson.events.data.microsoft.com",
"v10.events.data.microsoft.com",
"v20.events.data.microsoft.com",
],
),
network.AzureFirewallApplicationRuleArgs(
Expand All @@ -219,16 +137,8 @@ def __init__(
source_addresses=[props.subnet_identity_servers_iprange],
target_fqdns=[
"*-sb.servicebus.windows.net",
"*.servicebus.windows.net",
"passwordreset.microsoftonline.com",
"ssprdedicatedsbprodeus2-1.servicebus.windows.net",
"ssprdedicatedsbprodfra-1.servicebus.windows.net",
"ssprdedicatedsbprodncu-2.servicebus.windows.net",
"ssprdedicatedsbprodncu.servicebus.windows.net",
"ssprdedicatedsbprodneu.servicebus.windows.net",
"ssprdedicatedsbprodscu-2.servicebus.windows.net",
"ssprdedicatedsbprodscu.servicebus.windows.net",
"ssprdedicatedsbprodsea-1.servicebus.windows.net",
"ssprdedicatedsbprodweu.servicebus.windows.net",
],
),
network.AzureFirewallApplicationRuleArgs(
Expand All @@ -245,7 +155,6 @@ def __init__(
"s1.adhybridhealth.azure.com",
"management.azure.com",
"policykeyservice.dc.ad.msft.net",
"provisioningapi.microsoftonline.com",
"www.office.com",
],
),
Expand Down Expand Up @@ -404,29 +313,12 @@ def __init__(
description="Allow external Azure Automation requests",
name="AllowExternalAzureAutomationOperations",
protocols=[
network.AzureFirewallApplicationRuleProtocolArgs(
port=443,
protocol_type="Https",
)
network.AzureFirewallNetworkRuleProtocol.TCP,
network.AzureFirewallNetworkRuleProtocol.UDP,
],
source_addresses=["*"],
target_fqdns=[
"ac-jobruntimedata-prod-su1.azure-automation.net",
"ae-jobruntimedata-prod-su1.azure-automation.net",
"ase-jobruntimedata-prod-su1.azure-automation.net",
"cc-jobruntimedata-prod-su1.azure-automation.net",
"cid-jobruntimedata-prod-su1.azure-automation.net",
"eus2-jobruntimedata-prod-su1.azure-automation.net",
"jpe-jobruntimedata-prod-su1.azure-automation.net",
"ne-jobruntimedata-prod-su1.azure-automation.net",
"scus-jobruntimedata-prod-su1.azure-automation.net",
"sea-jobruntimedata-prod-su1.azure-automation.net",
"stzn-jobruntimedata-prod-su1.azure-automation.net",
"uks-jobruntimedata-prod-su1.azure-automation.net",
"usge-jobruntimedata-prod-su1.azure-automation.us",
"wcus-jobruntimedata-prod-su1.azure-automation.net",
"we-jobruntimedata-prod-su1.azure-automation.net",
"wus2-jobruntimedata-prod-su1.azure-automation.net",
"GuestAndHybridManagement",
],
),
network.AzureFirewallApplicationRuleArgs(
Expand Down Expand Up @@ -463,12 +355,18 @@ def __init__(
],
source_addresses=[props.subnet_update_servers_iprange],
target_fqdns=[
# "apt.postgresql.org",
"archive.ubuntu.com",
"azure.archive.ubuntu.com",
"changelogs.ubuntu.com",
"cloudapp.azure.com", # this is where azure.archive.ubuntu.com is hosted
# "d20rj4el6vkp4c.cloudfront.net",
# "dbeaver.io",
# "packages.gitlab.com",
"packages.microsoft.com",
# "qgis.org",
"security.ubuntu.com",
# "ubuntu.qgis.org"
],
),
],
Expand Down

0 comments on commit 64eea3d

Please sign in to comment.