Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Active support for T0/T1 #2283

Open
5 tasks done
helendduncan opened this issue Nov 8, 2024 · 3 comments · May be fixed by #2327
Open
5 tasks done

Active support for T0/T1 #2283

helendduncan opened this issue Nov 8, 2024 · 3 comments · May be fixed by #2327
Assignees
@cptanalatriste @helendduncan @dsj976
Labels
enhancement New functionality that should be added to the Safe Haven
Milestone
Release 5.2.0

Comments

@helendduncan
Copy link

helendduncan commented Nov 8, 2024
edited by JimMadge
Loading

✅ Checklist

  • I have searched open and closed issues for duplicates.
  • This is a request for a new feature in the Data Safe Haven or an upgrade to an existing feature.
  • The feature is still missing in the latest version.
  • I have read through the documentation.
  • This isn't an open-ended question (open a discussion if it is).

🍓 Suggested change

The current SREs cannot support T0/T1 RE internet access

🚂 How could this be done?
@helendduncan helendduncan added the enhancement New functionality that should be added to the Safe Haven label Nov 8, 2024
@JimMadge JimMadge added this to the Release 5.1.0 milestone Nov 8, 2024
@JimMadge
Copy link
Member

JimMadge commented Nov 8, 2024

We do document these tiers here.

The only technical difference is that outbound internet from the workspaces is allowed.
The change should then be,

  • Add config option for outbound internet
  • Add template for T0/1
  • Use that config value to modify NSG rules (presumably) for workspaces (and firewall rules?).

@jemrobinson Any tips on how the network configuration needs to be changed?

@jemrobinson
Copy link
Member

jemrobinson commented Nov 8, 2024
edited
Loading

The shm-$NAME-sre-$NAME-nsg-workspaces NSG group needs a rule that allows outbound internet access (I think there's already a rule that allows TCP outbound for configuration?).

We then need to add a rule to the firewall which is "allow" for "*". I'll let you decide whether it's easier to only add this rule for environments that allow outgoing internet access or to make it a rule that's always there but flips between allow/deny depending on this setting (note if you pick the second option you'll have to choose the priority carefully so it doesn't block things we want to allow).

Good catch @helendduncan !

@JimMadge JimMadge moved this to Ready to Work in Data Safe Haven Nov 18, 2024
@JimMadge JimMadge moved this from Ready to Work to In progress in Data Safe Haven Nov 29, 2024
@JimMadge
Copy link
Member

There is an NSG rule to allow outbound internet for workspaces because we don't have proxies for,

  • Snapcraft
  • RStudio debs
  • Ubuntu keyservers

So I think the changes we want to make will be on the firewall rules for workspaces.

@JimMadge JimMadge linked a pull request Dec 3, 2024 that will close this issue
Open
3 tasks
@JimMadge JimMadge moved this from In progress to In review in Data Safe Haven Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cptanalatriste cptanalatriste

@helendduncan helendduncan

@dsj976 dsj976

Labels
enhancement New functionality that should be added to the Safe Haven
Projects
Data Safe Haven
Status: In review
Milestone
Release 5.2.0
Development

Successfully merging a pull request may close this issue.

Modifying Firewall rules to provide Internet Access to T0/T1 cptanalatriste/data-safe-haven
5 participants
@cptanalatriste @jemrobinson @JimMadge @helendduncan @dsj976