From f6344b689fd68a0004eb231add676dec91ef34b1 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Thu, 24 Aug 2023 19:25:24 +0100 Subject: [PATCH] :wrench: Block access to AzurePlatformDNS from all SRE subnets except ApplicationGateway which requires specific rules --- data_safe_haven/pulumi/common/enums.py | 1 + .../pulumi/components/sre_networking.py | 108 ++++++++++++++++++ 2 files changed, 109 insertions(+) diff --git a/data_safe_haven/pulumi/common/enums.py b/data_safe_haven/pulumi/common/enums.py index 2008c08bce..78570cb8fa 100644 --- a/data_safe_haven/pulumi/common/enums.py +++ b/data_safe_haven/pulumi/common/enums.py @@ -8,6 +8,7 @@ class NetworkingPriorities(int, Enum): AZURE_CLOUD = 100 AZURE_GATEWAY_MANAGER = 200 AZURE_LOAD_BALANCER = 300 + AZURE_PLATFORM_DNS = 400 # SHM connections: 1000-1399 INTERNAL_SELF = 1000 INTERNAL_SHM_BASTION = 1100 diff --git a/data_safe_haven/pulumi/components/sre_networking.py b/data_safe_haven/pulumi/components/sre_networking.py index 9a7fdb962f..d264f57620 100644 --- a/data_safe_haven/pulumi/components/sre_networking.py +++ b/data_safe_haven/pulumi/components/sre_networking.py @@ -324,6 +324,18 @@ def __init__( source_port_range="*", ), # Outbound + network.SecurityRuleArgs( + access=network.SecurityRuleAccess.DENY, + description="Deny outbound connections to Azure Platform DNS endpoints (including 168.63.129.16), which are not included in the 'Internet' service tag.", + destination_address_prefix="AzurePlatformDNS", + destination_port_range="*", + direction=network.SecurityRuleDirection.OUTBOUND, + name="DenyAzurePlatformDnsOutbound", + priority=NetworkingPriorities.AZURE_PLATFORM_DNS, + protocol=network.SecurityRuleProtocol.ASTERISK, + source_address_prefix="*", + source_port_range="*", + ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.DENY, description="Deny all other outbound traffic.", @@ -370,6 +382,18 @@ def __init__( source_port_range="*", ), # Outbound + network.SecurityRuleArgs( + access=network.SecurityRuleAccess.DENY, + description="Deny outbound connections to Azure Platform DNS endpoints (including 168.63.129.16), which are not included in the 'Internet' service tag.", + destination_address_prefix="AzurePlatformDNS", + destination_port_range="*", + direction=network.SecurityRuleDirection.OUTBOUND, + name="DenyAzurePlatformDnsOutbound", + priority=NetworkingPriorities.AZURE_PLATFORM_DNS, + protocol=network.SecurityRuleProtocol.ASTERISK, + source_address_prefix="*", + source_port_range="*", + ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.DENY, description="Deny all other outbound traffic.", @@ -416,6 +440,18 @@ def __init__( source_port_range="*", ), # Outbound + network.SecurityRuleArgs( + access=network.SecurityRuleAccess.DENY, + description="Deny outbound connections to Azure Platform DNS endpoints (including 168.63.129.16), which are not included in the 'Internet' service tag.", + destination_address_prefix="AzurePlatformDNS", + destination_port_range="*", + direction=network.SecurityRuleDirection.OUTBOUND, + name="DenyAzurePlatformDnsOutbound", + priority=NetworkingPriorities.AZURE_PLATFORM_DNS, + protocol=network.SecurityRuleProtocol.ASTERISK, + source_address_prefix="*", + source_port_range="*", + ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to DNS servers.", @@ -534,6 +570,18 @@ def __init__( source_port_range="*", ), # Outbound + network.SecurityRuleArgs( + access=network.SecurityRuleAccess.DENY, + description="Deny outbound connections to Azure Platform DNS endpoints (including 168.63.129.16), which are not included in the 'Internet' service tag.", + destination_address_prefix="AzurePlatformDNS", + destination_port_range="*", + direction=network.SecurityRuleDirection.OUTBOUND, + name="DenyAzurePlatformDnsOutbound", + priority=NetworkingPriorities.AZURE_PLATFORM_DNS, + protocol=network.SecurityRuleProtocol.ASTERISK, + source_address_prefix="*", + source_port_range="*", + ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.DENY, description="Deny all other outbound traffic.", @@ -580,6 +628,18 @@ def __init__( source_port_range="*", ), # Outbound + network.SecurityRuleArgs( + access=network.SecurityRuleAccess.DENY, + description="Deny outbound connections to Azure Platform DNS endpoints (including 168.63.129.16), which are not included in the 'Internet' service tag.", + destination_address_prefix="AzurePlatformDNS", + destination_port_range="*", + direction=network.SecurityRuleDirection.OUTBOUND, + name="DenyAzurePlatformDnsOutbound", + priority=NetworkingPriorities.AZURE_PLATFORM_DNS, + protocol=network.SecurityRuleProtocol.ASTERISK, + source_address_prefix="*", + source_port_range="*", + ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to DNS servers.", @@ -674,6 +734,18 @@ def __init__( source_port_range="*", ), # Outbound + network.SecurityRuleArgs( + access=network.SecurityRuleAccess.DENY, + description="Deny outbound connections to Azure Platform DNS endpoints (including 168.63.129.16), which are not included in the 'Internet' service tag.", + destination_address_prefix="AzurePlatformDNS", + destination_port_range="*", + direction=network.SecurityRuleDirection.OUTBOUND, + name="DenyAzurePlatformDnsOutbound", + priority=NetworkingPriorities.AZURE_PLATFORM_DNS, + protocol=network.SecurityRuleProtocol.ASTERISK, + source_address_prefix="*", + source_port_range="*", + ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.DENY, description="Deny all other outbound traffic.", @@ -720,6 +792,18 @@ def __init__( source_port_range="*", ), # Outbound + network.SecurityRuleArgs( + access=network.SecurityRuleAccess.DENY, + description="Deny outbound connections to Azure Platform DNS endpoints (including 168.63.129.16), which are not included in the 'Internet' service tag.", + destination_address_prefix="AzurePlatformDNS", + destination_port_range="*", + direction=network.SecurityRuleDirection.OUTBOUND, + name="DenyAzurePlatformDnsOutbound", + priority=NetworkingPriorities.AZURE_PLATFORM_DNS, + protocol=network.SecurityRuleProtocol.ASTERISK, + source_address_prefix="*", + source_port_range="*", + ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to DNS servers.", @@ -790,6 +874,18 @@ def __init__( source_port_range="*", ), # Outbound + network.SecurityRuleArgs( + access=network.SecurityRuleAccess.DENY, + description="Deny outbound connections to Azure Platform DNS endpoints (including 168.63.129.16), which are not included in the 'Internet' service tag.", + destination_address_prefix="AzurePlatformDNS", + destination_port_range="*", + direction=network.SecurityRuleDirection.OUTBOUND, + name="DenyAzurePlatformDnsOutbound", + priority=NetworkingPriorities.AZURE_PLATFORM_DNS, + protocol=network.SecurityRuleProtocol.ASTERISK, + source_address_prefix="*", + source_port_range="*", + ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description="Allow outbound connections to DNS servers.", @@ -872,6 +968,18 @@ def __init__( source_port_range="*", ), # Outbound + network.SecurityRuleArgs( + access=network.SecurityRuleAccess.DENY, + description="Deny outbound connections to Azure Platform DNS endpoints (including 168.63.129.16), which are not included in the 'Internet' service tag.", + destination_address_prefix="AzurePlatformDNS", + destination_port_range="*", + direction=network.SecurityRuleDirection.OUTBOUND, + name="DenyAzurePlatformDnsOutbound", + priority=NetworkingPriorities.AZURE_PLATFORM_DNS, + protocol=network.SecurityRuleProtocol.ASTERISK, + source_address_prefix="*", + source_port_range="*", + ), network.SecurityRuleArgs( access=network.SecurityRuleAccess.ALLOW, description=(