Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Route Guacamole traffic through the app gateway #4032

Open
jonnyry opened this issue Jul 15, 2024 · 4 comments
Open

Route Guacamole traffic through the app gateway #4032

jonnyry opened this issue Jul 15, 2024 · 4 comments
Labels

Comments

@jonnyry
Copy link
Collaborator

jonnyry commented Jul 15, 2024

Route Guacamole traffic through the App Gateway, and do not allow direct connections to guacamole service endpoints.

This would provide the following benefits:

  • TRE web traffic would flow through a single ingress point
  • a single trusted domain name can be used, rather than relying on default azure domain names for guacamole
  • App Gateway WAF features can be enabled for all web traffic rather than just API + UI
  • would meet Apache’s recommendation of hosting behind a reverse proxy: https://guacamole.apache.org/doc/gug/reverse-proxy.html
@jonnyry
Copy link
Collaborator Author

jonnyry commented Jul 15, 2024

This PR resolves the issue however wasn’t merged as it introduced a 100 workspace limit (due to App Gateway max 100 backend pool limit):

#3731

Wondering whether a shared Guacamole service might be a plausible solution instead, rather than 1 per workspace - though are there downsides to this approach?

@marrobi
Copy link
Member

marrobi commented Jul 16, 2024

The reason we did it independently was to minimise the work needed to handle auth for each workspace. The shared service would be an ok solution from my perspective, as long as tokens are validated against the appropriate workspace application ID. At the moment we use OAuth Proxy - https://github.com/oauth2-proxy/oauth2-proxy. In addition the custom authentication extension (java) access the KeyVault in the workspace to retrieve the credentials for the VM.

So it's not straight forward, but if want to put a design proposal together, and are willing to put in the time to do a PR once aligned, then we can discuss it.

@jonnyry
Copy link
Collaborator Author

jonnyry commented Jul 16, 2024

OK thanks for the info, still considering options at the moment.

Another potential could be to change the App Gateway for Azure Front Door, which if I have read the docs correctly, supports a greater number of backend pools/origins: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-front-door-standard-and-premium-service-limits (Azure FD does not support websocket connections)

@jonnyry jonnyry changed the title Guacamole traffic should flow through the app gateway Route Guacamole traffic through the app gateway Jul 16, 2024
@marrobi
Copy link
Member

marrobi commented Nov 15, 2024

See #3731

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants