Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security hardening / private endpoints / DNS #37

Open
8 of 27 tasks
JimCircadian opened this issue Jul 25, 2023 · 1 comment
Open
8 of 27 tasks

Security hardening / private endpoints / DNS #37

JimCircadian opened this issue Jul 25, 2023 · 1 comment
Assignees
@JimCircadian

Comments

@JimCircadian
Copy link
Member

JimCircadian commented Jul 25, 2023
edited
Loading

Builds on from #31

Expose and restrict

  • Ensure storage accounts are not unnecessarily open
  • Create private endpoints in public subnet
    • PyGeoAPI
    • Assets function app
    • Storage account
  • Create private endpoints in private subnet
    • Create private endpoint definitions
  • Implement NAT gateway
  • Do Load balancing #38
  • Set up NSG and https access via public interface
  • Set up NSG/ASG between LB and internal services
  • Set up internal routing / NSG/ASG between public and private subnets
  • Set up dev.icenet.ai to point to public interface
  • Test access via dev.icenet.ai
  • Ensure closed access to function app public endpoints
  • Check that non-admin IP sources cannot upload (test admin NSG)
  • Activate private endpoints
    • pygeoapi/app.tf - pygeoapi
    • forecast_processor/events.tf - event_domain_endpoint
    • forecast_processor/functions.tf - evtproc_app_storage_endpoint
    • forecast_processor/functions.tf - event_proc_endpoint
    • data/postgresql.tf - database
    • data/storage.tf - data_blob
    • data/storage.tf - data_file
    • processing/functions.tf - proc_app_storage_endpoint
    • processing/functions.tf - proc_endpoint
    • application/app.tf - application
@JimCircadian JimCircadian mentioned this issue Jul 25, 2023
Open
8 tasks
@JimCircadian JimCircadian self-assigned this Jul 26, 2023
@JimCircadian JimCircadian mentioned this issue Jul 31, 2023
Closed
14 tasks
JimCircadian added a commit that referenced this issue Sep 5, 2023
@JimCircadian
Dev #37: restricting access to storage accounts appropriately
be35c6e
JimCircadian added a commit that referenced this issue Sep 8, 2023
@JimCircadian
Dev #37: Sorting out delegations and subnet configurations ready for …
333a6e9 
…endpoints
JimCircadian added a commit that referenced this issue Sep 8, 2023
@JimCircadian
Dev #37: Resources changed to have private endpoints
f82e336 
web-icenetuat-application (public) - pvt-icenetuat-application
  module.application.azurerm_private_endpoint.application
app-icenetuat-pygeoapi (public) - pvt-icenetuat-pygeoapi
  module.pygeoapi.azurerm_private_endpoint.pygeoapi
sticenetuatdata (public) - pvt-icenetuat-data-blob and ...-file
  module.data.azurerm_private_endpoint.data_blob
  module.data.azurerm_private_endpoint.data_file

app-icenetuat-event-processing (private)
  module.forecast_processor.azurerm_private_endpoint.event_proc_endpoint
app-icenetuat-processing (private)
  module.forecast_processor.azurerm_private_endpoint.proc_endpoint
psql-icenetuat-database (private)
  module.data.azurerm_private_endpoint.database

egd-icenetuat-processing-domain (private)
  module.forecast_processor.azurerm_private_endpoint.event_domain_endpoint
sticenetuatappfcproc (private)
  module.forecast_processor.azurerm_private_endpoint.evtproc_app_storage_endpoint
sticenetuatappproc (private)
  module.processing.azurerm_private_endpoint.proc_app_storage_endpoint
JimCircadian added a commit that referenced this issue Sep 12, 2023
@JimCircadian
Dev #37: adding NAT and changing public IP config
d41f208
JimCircadian added a commit that referenced this issue Sep 12, 2023
@JimCircadian
Dev #37: added NAT gateway for the network
7a8ebf0
@JimCircadian
Copy link
Member Author

The private endpoints caused an amazing nuisance, with the web application being unable to mount the share from the main storage, promptly breaking the container host with no real messaging.

Going to get the rest of the infrastructure set up behind the LB for access and then lock down from the edge, then transition into the private endpoint architecture. Azure is really a bit wobbly to use, with things failing silently all over the shop

JimCircadian added a commit that referenced this issue Sep 12, 2023
@JimCircadian
Dev #37: implemented endpoints and security, but broke badly, increme…
dbd63d3 
…ntal deployment required
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JimCircadian JimCircadian

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JimCircadian