Modifying Firewall rules to provide Internet Access to T0/T1

[cptanalatriste]

✅ Checklist

• You have given your pull request a meaningful title (e.g. Enable foobar integration rather than 515 foobar).
• You are targeting the appropriate branch. If you're not certain which one this is, it should be develop.
• Your branch is up-to-date with the target branch (it probably was when you started, but it may have changed since then).

🚦 Depends on

⤴️ Summary

The proposed approach adds an extra field to the SRE config file (allow_workspace_internet ) and based on its value does the following: 1) If false , business as usual, 2) if true , we remove all the firewall's application rules, we add a network rule allowing connections to the internet, and remove user_rules DNS server configuration.

🌂 Related issues

Closes #2283

🔬 Tests

[jemrobinson]

I'm not sure we gain much by moving these definitions into a function.

[jemrobinson]

Luckily, you don't need these :). See the test_application_gateway.py for an example of Pulumi runtime tests without set_mocks.

[jemrobinson]

If we need this enum, it's probably useful outside just testing. Should it live in types/enums.py?

[craddm]

I can deploy an SRE, but can't actually connect to anything. At the moment, literally only traffic from workspaces is allowed. None of the container services can connect to the internet, so a user can't get to the remote desktop gateway, for example I misdescribed that a bit. Guacamole can't talk to the microsoft Auth servers over the internet, so it can't properly log you in.

[craddm]

Here you remove all the application rules. I think that the problem is, the way the network rules are subsequently defined, only traffic directly from workspaces is allowed out to the internet. This means the various containers (identity, remote desktop gateway etc) can't communicate with the internet, so you can't get to guacamole to be able to connect to the workspaces.

Not all of the containers actually need internet access, but some do.

[craddm]

This line defines which source addresses are allowed. At the moment it's just the subnet for workspaces (10.0.2.0/29), whereas the containers are all in 10.0.1.0/29.

I guess there are two options.

1. Keep most of the application rules (it's just the snapcraft ones we wanted to get rid of)
2. Modify this line to allow all source addresses

[craddm]

I've also tried fixing this locally (with option 2 from above) but still can't browse to anything from within the SRE.

Internet access is possible: I can ftp to ftp.ubuntu.com from a workspace.

So I think we need to also look at the DNS.
We have a local container that we use for DNS that (among other things) blocks most FQDNs from resolving.

[jemrobinson]

Allowed DNS domains are defined in types.enums.PermittedDomains.

[cptanalatriste]

Hi @craddm , thanks for checking into this. Just to check my understanding, when you tested Option 2 did you have all the application rules enabled + the new network rule? Also, changing the DNS container means modifying data_safe_haven/resources/dns_server/AdGuardHome.mustache.yaml?

[jemrobinson]

You might need to slightly change AdGuardHome.mustache.yaml. Currently it forbids everything then allows everything from a specified allowlist. We might need to make the first part configurable as otherwise the rules will be "deny everything" and "allow everything" and I have no idea what that will do!

[craddm]

Have tested a fresh deployment with internet access enabled, and can confirm it works!

[github-actions]

Coverage report

Click to see where and how coverage changed

File	Statements	Missing	Coverage	Coverage (new stmts)	Lines missing
data_safe_haven/config
config_sections.py
data_safe_haven/infrastructure/common
transformations.py
data_safe_haven/infrastructure/components/wrapped
log_analytics_workspace.py
data_safe_haven/infrastructure/programs/sre
dns_server.py					39, 75
firewall.py
monitoring.py
Project Total

This report was generated by python-coverage-comment-action