Skip to content

Commit

Permalink
🔧 Block access to AzurePlatformDNS from all SRE subnets except Applic…
Browse files Browse the repository at this point in the history 
…ationGateway which requires specific rules
  • Loading branch information
@jemrobinson
jemrobinson committed Aug 24, 2023
1 parent b53c8ce commit f6344b6
Show file tree
Hide file tree
Showing 2 changed files with 109 additions and 0 deletions.
1 change: 1 addition & 0 deletions data_safe_haven/pulumi/common/enums.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ class NetworkingPriorities(int, Enum):
AZURE_CLOUD = 100
AZURE_GATEWAY_MANAGER = 200
AZURE_LOAD_BALANCER = 300
AZURE_PLATFORM_DNS = 400
# SHM connections: 1000-1399
INTERNAL_SELF = 1000
INTERNAL_SHM_BASTION = 1100
Expand Down
108 changes: 108 additions & 0 deletions data_safe_haven/pulumi/components/sre_networking.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -324,6 +324,18 @@ def __init__(
source_port_range="*",
),
# Outbound
network.SecurityRuleArgs(
access=network.SecurityRuleAccess.DENY,
description="Deny outbound connections to Azure Platform DNS endpoints (including 168.63.129.16), which are not included in the 'Internet' service tag.",
destination_address_prefix="AzurePlatformDNS",
destination_port_range="*",
direction=network.SecurityRuleDirection.OUTBOUND,
name="DenyAzurePlatformDnsOutbound",
priority=NetworkingPriorities.AZURE_PLATFORM_DNS,
protocol=network.SecurityRuleProtocol.ASTERISK,
source_address_prefix="*",
source_port_range="*",
),
network.SecurityRuleArgs(
access=network.SecurityRuleAccess.DENY,
description="Deny all other outbound traffic.",
Expand Down Expand Up @@ -370,6 +382,18 @@ def __init__(
source_port_range="*",
),
# Outbound
network.SecurityRuleArgs(
access=network.SecurityRuleAccess.DENY,
description="Deny outbound connections to Azure Platform DNS endpoints (including 168.63.129.16), which are not included in the 'Internet' service tag.",
destination_address_prefix="AzurePlatformDNS",
destination_port_range="*",
direction=network.SecurityRuleDirection.OUTBOUND,
name="DenyAzurePlatformDnsOutbound",
priority=NetworkingPriorities.AZURE_PLATFORM_DNS,
protocol=network.SecurityRuleProtocol.ASTERISK,
source_address_prefix="*",
source_port_range="*",
),
network.SecurityRuleArgs(
access=network.SecurityRuleAccess.DENY,
description="Deny all other outbound traffic.",
Expand Down Expand Up @@ -416,6 +440,18 @@ def __init__(
source_port_range="*",
),
# Outbound
network.SecurityRuleArgs(
access=network.SecurityRuleAccess.DENY,
description="Deny outbound connections to Azure Platform DNS endpoints (including 168.63.129.16), which are not included in the 'Internet' service tag.",
destination_address_prefix="AzurePlatformDNS",
destination_port_range="*",
direction=network.SecurityRuleDirection.OUTBOUND,
name="DenyAzurePlatformDnsOutbound",
priority=NetworkingPriorities.AZURE_PLATFORM_DNS,
protocol=network.SecurityRuleProtocol.ASTERISK,
source_address_prefix="*",
source_port_range="*",
),
network.SecurityRuleArgs(
access=network.SecurityRuleAccess.ALLOW,
description="Allow outbound connections to DNS servers.",
Expand Down Expand Up @@ -534,6 +570,18 @@ def __init__(
source_port_range="*",
),
# Outbound
network.SecurityRuleArgs(
access=network.SecurityRuleAccess.DENY,
description="Deny outbound connections to Azure Platform DNS endpoints (including 168.63.129.16), which are not included in the 'Internet' service tag.",
destination_address_prefix="AzurePlatformDNS",
destination_port_range="*",
direction=network.SecurityRuleDirection.OUTBOUND,
name="DenyAzurePlatformDnsOutbound",
priority=NetworkingPriorities.AZURE_PLATFORM_DNS,
protocol=network.SecurityRuleProtocol.ASTERISK,
source_address_prefix="*",
source_port_range="*",
),
network.SecurityRuleArgs(
access=network.SecurityRuleAccess.DENY,
description="Deny all other outbound traffic.",
Expand Down Expand Up @@ -580,6 +628,18 @@ def __init__(
source_port_range="*",
),
# Outbound
network.SecurityRuleArgs(
access=network.SecurityRuleAccess.DENY,
description="Deny outbound connections to Azure Platform DNS endpoints (including 168.63.129.16), which are not included in the 'Internet' service tag.",
destination_address_prefix="AzurePlatformDNS",
destination_port_range="*",
direction=network.SecurityRuleDirection.OUTBOUND,
name="DenyAzurePlatformDnsOutbound",
priority=NetworkingPriorities.AZURE_PLATFORM_DNS,
protocol=network.SecurityRuleProtocol.ASTERISK,
source_address_prefix="*",
source_port_range="*",
),
network.SecurityRuleArgs(
access=network.SecurityRuleAccess.ALLOW,
description="Allow outbound connections to DNS servers.",
Expand Down Expand Up @@ -674,6 +734,18 @@ def __init__(
source_port_range="*",
),
# Outbound
network.SecurityRuleArgs(
access=network.SecurityRuleAccess.DENY,
description="Deny outbound connections to Azure Platform DNS endpoints (including 168.63.129.16), which are not included in the 'Internet' service tag.",
destination_address_prefix="AzurePlatformDNS",
destination_port_range="*",
direction=network.SecurityRuleDirection.OUTBOUND,
name="DenyAzurePlatformDnsOutbound",
priority=NetworkingPriorities.AZURE_PLATFORM_DNS,
protocol=network.SecurityRuleProtocol.ASTERISK,
source_address_prefix="*",
source_port_range="*",
),
network.SecurityRuleArgs(
access=network.SecurityRuleAccess.DENY,
description="Deny all other outbound traffic.",
Expand Down Expand Up @@ -720,6 +792,18 @@ def __init__(
source_port_range="*",
),
# Outbound
network.SecurityRuleArgs(
access=network.SecurityRuleAccess.DENY,
description="Deny outbound connections to Azure Platform DNS endpoints (including 168.63.129.16), which are not included in the 'Internet' service tag.",
destination_address_prefix="AzurePlatformDNS",
destination_port_range="*",
direction=network.SecurityRuleDirection.OUTBOUND,
name="DenyAzurePlatformDnsOutbound",
priority=NetworkingPriorities.AZURE_PLATFORM_DNS,
protocol=network.SecurityRuleProtocol.ASTERISK,
source_address_prefix="*",
source_port_range="*",
),
network.SecurityRuleArgs(
access=network.SecurityRuleAccess.ALLOW,
description="Allow outbound connections to DNS servers.",
Expand Down Expand Up @@ -790,6 +874,18 @@ def __init__(
source_port_range="*",
),
# Outbound
network.SecurityRuleArgs(
access=network.SecurityRuleAccess.DENY,
description="Deny outbound connections to Azure Platform DNS endpoints (including 168.63.129.16), which are not included in the 'Internet' service tag.",
destination_address_prefix="AzurePlatformDNS",
destination_port_range="*",
direction=network.SecurityRuleDirection.OUTBOUND,
name="DenyAzurePlatformDnsOutbound",
priority=NetworkingPriorities.AZURE_PLATFORM_DNS,
protocol=network.SecurityRuleProtocol.ASTERISK,
source_address_prefix="*",
source_port_range="*",
),
network.SecurityRuleArgs(
access=network.SecurityRuleAccess.ALLOW,
description="Allow outbound connections to DNS servers.",
Expand Down Expand Up @@ -872,6 +968,18 @@ def __init__(
source_port_range="*",
),
# Outbound
network.SecurityRuleArgs(
access=network.SecurityRuleAccess.DENY,
description="Deny outbound connections to Azure Platform DNS endpoints (including 168.63.129.16), which are not included in the 'Internet' service tag.",
destination_address_prefix="AzurePlatformDNS",
destination_port_range="*",
direction=network.SecurityRuleDirection.OUTBOUND,
name="DenyAzurePlatformDnsOutbound",
priority=NetworkingPriorities.AZURE_PLATFORM_DNS,
protocol=network.SecurityRuleProtocol.ASTERISK,
source_address_prefix="*",
source_port_range="*",
),
network.SecurityRuleArgs(
access=network.SecurityRuleAccess.ALLOW,
description=(
Expand Down

0 comments on commit f6344b6

Please sign in to comment.