diff --git a/data_safe_haven/infrastructure/stacks/shm/firewall.py b/data_safe_haven/infrastructure/stacks/shm/firewall.py index 1f95d20323..71543607ce 100644 --- a/data_safe_haven/infrastructure/stacks/shm/firewall.py +++ b/data_safe_haven/infrastructure/stacks/shm/firewall.py @@ -115,96 +115,14 @@ def __init__( ], source_addresses=[props.subnet_identity_servers_iprange], target_fqdns=[ + "*.blob.core.windows.net", + "*.servicebus.windows.net", "aadconnecthealth.azure.com", - "adhsprodncuaadsynciadata.blob.core.windows.net", - "adhsprodwcuaadsynciadata.blob.core.windows.net", - "adhsprodweuaadsynciadata.blob.core.windows.net", - "adhsprodweuehsyncia.servicebus.windows.net", - "adhsprodwusaadsynciadata.blob.core.windows.net", - "adhssyncprodpksweu.servicebus.windows.net", "adminwebservice.microsoftonline.com", - "pksproddatastoreeus101.blob.core.windows.net", - "pksproddatastoreeus102.blob.core.windows.net", - "pksproddatastoreeus103.blob.core.windows.net", - "pksproddatastoreeus104.blob.core.windows.net", - "pksproddatastoreeus105.blob.core.windows.net", - "pksproddatastoreeus106.blob.core.windows.net", - "pksproddatastoreeus107.blob.core.windows.net", - "pksproddatastoreeus108.blob.core.windows.net", - "pksproddatastoreeus109.blob.core.windows.net", - "pksproddatastoreeus111.blob.core.windows.net", - "pksproddatastoreeus112.blob.core.windows.net", - "pksproddatastoreeus113.blob.core.windows.net", - "pksproddatastoreeus114.blob.core.windows.net", - "pksproddatastoreeus115.blob.core.windows.net", - "pksproddatastoreeus116.blob.core.windows.net", - "pksproddatastoreeus117.blob.core.windows.net", - "pksproddatastoreeus118.blob.core.windows.net", - "pksproddatastoreeus119.blob.core.windows.net", - "pksproddatastoreeus120.blob.core.windows.net", - "pksproddatastorencu101.blob.core.windows.net", - "pksproddatastorencu102.blob.core.windows.net", - "pksproddatastorencu103.blob.core.windows.net", - "pksproddatastorencu104.blob.core.windows.net", - "pksproddatastoreneu101.blob.core.windows.net", - "pksproddatastoreneu102.blob.core.windows.net", - "pksproddatastoreneu103.blob.core.windows.net", - "pksproddatastoreneu104.blob.core.windows.net", - "pksproddatastoreneu105.blob.core.windows.net", - "pksproddatastoreneu106.blob.core.windows.net", - "pksproddatastoreneu107.blob.core.windows.net", - "pksproddatastoreneu108.blob.core.windows.net", - "pksproddatastoreneu109.blob.core.windows.net", - "pksproddatastoreneu110.blob.core.windows.net", - "pksproddatastoreneu111.blob.core.windows.net", - "pksproddatastoreneu112.blob.core.windows.net", - "pksproddatastoreneu113.blob.core.windows.net", - "pksproddatastoreneu114.blob.core.windows.net", - "pksproddatastoreneu115.blob.core.windows.net", - "pksproddatastoreneu116.blob.core.windows.net", - "pksproddatastoreneu117.blob.core.windows.net", - "pksproddatastoreneu118.blob.core.windows.net", - "pksproddatastoreneu119.blob.core.windows.net", - "pksproddatastoreneu120.blob.core.windows.net", - "pksproddatastoreweu101.blob.core.windows.net", - "pksproddatastoreweu102.blob.core.windows.net", - "pksproddatastoreweu103.blob.core.windows.net", - "pksproddatastoreweu104.blob.core.windows.net", - "pksproddatastoreweu105.blob.core.windows.net", - "pksproddatastoreweu106.blob.core.windows.net", - "pksproddatastoreweu107.blob.core.windows.net", - "pksproddatastoreweu108.blob.core.windows.net", - "pksproddatastoreweu109.blob.core.windows.net", - "pksproddatastoreweu110.blob.core.windows.net", - "pksproddatastoreweu111.blob.core.windows.net", - "pksproddatastoreweu112.blob.core.windows.net", - "pksproddatastoreweu113.blob.core.windows.net", - "pksproddatastoreweu114.blob.core.windows.net", - "pksproddatastoreweu115.blob.core.windows.net", - "pksproddatastoreweu116.blob.core.windows.net", - "pksproddatastoreweu117.blob.core.windows.net", - "pksproddatastoreweu118.blob.core.windows.net", - "pksproddatastoreweu119.blob.core.windows.net", - "pksproddatastoreweu120.blob.core.windows.net", - "pksproddatastorewus101.blob.core.windows.net", - "pksproddatastorewus102.blob.core.windows.net", - "pksproddatastorewus103.blob.core.windows.net", - "pksproddatastorewus104.blob.core.windows.net", - "pksproddatastorewus105.blob.core.windows.net", - "pksproddatastorewus106.blob.core.windows.net", - "pksproddatastorewus107.blob.core.windows.net", - "pksproddatastorewus108.blob.core.windows.net", - "pksproddatastorewus109.blob.core.windows.net", - "pksproddatastorewus111.blob.core.windows.net", - "pksproddatastorewus112.blob.core.windows.net", - "pksproddatastorewus113.blob.core.windows.net", - "pksproddatastorewus114.blob.core.windows.net", - "pksproddatastorewus115.blob.core.windows.net", - "pksproddatastorewus116.blob.core.windows.net", - "pksproddatastorewus117.blob.core.windows.net", - "pksproddatastorewus118.blob.core.windows.net", - "pksproddatastorewus119.blob.core.windows.net", - "pksproddatastorewus120.blob.core.windows.net", + "s1.adhybridhealth.azure.com", + "umwatson.events.data.microsoft.com", + "v10.events.data.microsoft.com", + "v20.events.data.microsoft.com", ], ), network.AzureFirewallApplicationRuleArgs( @@ -219,16 +137,8 @@ def __init__( source_addresses=[props.subnet_identity_servers_iprange], target_fqdns=[ "*-sb.servicebus.windows.net", + "*.servicebus.windows.net", "passwordreset.microsoftonline.com", - "ssprdedicatedsbprodeus2-1.servicebus.windows.net", - "ssprdedicatedsbprodfra-1.servicebus.windows.net", - "ssprdedicatedsbprodncu-2.servicebus.windows.net", - "ssprdedicatedsbprodncu.servicebus.windows.net", - "ssprdedicatedsbprodneu.servicebus.windows.net", - "ssprdedicatedsbprodscu-2.servicebus.windows.net", - "ssprdedicatedsbprodscu.servicebus.windows.net", - "ssprdedicatedsbprodsea-1.servicebus.windows.net", - "ssprdedicatedsbprodweu.servicebus.windows.net", ], ), network.AzureFirewallApplicationRuleArgs( @@ -245,7 +155,6 @@ def __init__( "s1.adhybridhealth.azure.com", "management.azure.com", "policykeyservice.dc.ad.msft.net", - "provisioningapi.microsoftonline.com", "www.office.com", ], ), @@ -404,29 +313,12 @@ def __init__( description="Allow external Azure Automation requests", name="AllowExternalAzureAutomationOperations", protocols=[ - network.AzureFirewallApplicationRuleProtocolArgs( - port=443, - protocol_type="Https", - ) + network.AzureFirewallNetworkRuleProtocol.TCP, + network.AzureFirewallNetworkRuleProtocol.UDP, ], source_addresses=["*"], target_fqdns=[ - "ac-jobruntimedata-prod-su1.azure-automation.net", - "ae-jobruntimedata-prod-su1.azure-automation.net", - "ase-jobruntimedata-prod-su1.azure-automation.net", - "cc-jobruntimedata-prod-su1.azure-automation.net", - "cid-jobruntimedata-prod-su1.azure-automation.net", - "eus2-jobruntimedata-prod-su1.azure-automation.net", - "jpe-jobruntimedata-prod-su1.azure-automation.net", - "ne-jobruntimedata-prod-su1.azure-automation.net", - "scus-jobruntimedata-prod-su1.azure-automation.net", - "sea-jobruntimedata-prod-su1.azure-automation.net", - "stzn-jobruntimedata-prod-su1.azure-automation.net", - "uks-jobruntimedata-prod-su1.azure-automation.net", - "usge-jobruntimedata-prod-su1.azure-automation.us", - "wcus-jobruntimedata-prod-su1.azure-automation.net", - "we-jobruntimedata-prod-su1.azure-automation.net", - "wus2-jobruntimedata-prod-su1.azure-automation.net", + "GuestAndHybridManagement", ], ), network.AzureFirewallApplicationRuleArgs( @@ -463,12 +355,18 @@ def __init__( ], source_addresses=[props.subnet_update_servers_iprange], target_fqdns=[ + # "apt.postgresql.org", "archive.ubuntu.com", "azure.archive.ubuntu.com", "changelogs.ubuntu.com", "cloudapp.azure.com", # this is where azure.archive.ubuntu.com is hosted + # "d20rj4el6vkp4c.cloudfront.net", + # "dbeaver.io", + # "packages.gitlab.com", "packages.microsoft.com", + # "qgis.org", "security.ubuntu.com", + # "ubuntu.qgis.org" ], ), ],