Skip to content

Commit

Permalink
Merge pull request #1745 from alan-turing-institute/ips_domains
Browse files Browse the repository at this point in the history
Improve hardcoded domains and IP addresses
  • Loading branch information
JimMadge authored Feb 29, 2024
2 parents 44d4e60 + 891cc2c commit e401efa
Show file tree
Hide file tree
Showing 19 changed files with 31 additions and 306 deletions.
7 changes: 2 additions & 5 deletions deployment/common/Configuration.psm1
Original file line number Diff line number Diff line change
Expand Up @@ -325,10 +325,7 @@ function Get-ShmConfig {
}
updateServers = [ordered]@{
externalIpAddresses = [ordered]@{
azureAutomation = @(
"13.66.145.80", "13.69.109.177", "13.71.175.151", "13.71.199.178", "13.75.34.150", "13.77.55.200", "20.140.131.132", "20.192.168.149", "20.36.108.243", "20.49.90.25", "40.78.236.132", "40.78.236.133", "40.79.173.18", "40.79.187.166", "40.80.176.49", "51.105.77.83", "51.107.60.86", "52.138.229.87", "52.167.107.72", "52.167.107.74", "52.236.186.244"
) # *-jobruntimedata-prod-su1.azure-automation.net
linux = (
linux = (
@("72.32.157.246", "87.238.57.227", "147.75.85.69", "217.196.149.55") + # apt.postgresql.org
@("91.189.91.38", "91.189.91.39", "91.189.91.48", "91.189.91.49", "91.189.91.81", "91.189.91.82", "91.189.91.83", "185.125.190.17", "185.125.190.18", "185.125.190.36", "185.125.190.39") + # archive.ubuntu.com, changelogs.ubuntu.com, security.ubuntu.com
$cloudFlareIpAddresses + # database.clamav.net, packages.gitlab.com and qgis.org use Cloudflare
Expand All @@ -337,7 +334,7 @@ function Get-ShmConfig {
@("152.199.20.126") + # developer.download.nvidia.com
$microsoftIpAddresses # packages.microsoft.com, azure.archive.ubuntu.com
)
windows = @($microsoftIpAddresses) # for several Microsoft-owned endpoints
windows = @($microsoftIpAddresses) # for several Microsoft-owned endpoints
}
linux = [ordered]@{
adminPasswordSecretName = "shm-$($shm.id)-vm-admin-password-linux-update-server".ToLower()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,19 @@
"type": "Allow"
},
"rules": [
{
"name": "AllowExternalAzureAutomationOperations",
"protocols": [
"TCP",
"UDP"
],
"targetAddresses": [
"GuestAndHybridManagement",
],
"sourceAddresses": [
"*"
]
},
{
"name": "AllowExternalNTP",
"protocols": [
Expand Down Expand Up @@ -84,96 +97,10 @@
],
"fqdnTags": [],
"targetFqdns": [
"*.blob.core.windows.net",
"*.servicebus.windows.net",
"aadconnecthealth.azure.com",
"adhsprodncuaadsynciadata.blob.core.windows.net",
"adhsprodwcuaadsynciadata.blob.core.windows.net",
"adhsprodweuaadsynciadata.blob.core.windows.net",
"adhsprodweuehsyncia.servicebus.windows.net",
"adhsprodwusaadsynciadata.blob.core.windows.net",
"adhssyncprodpksweu.servicebus.windows.net",
"adminwebservice.microsoftonline.com",
"pksproddatastoreeus101.blob.core.windows.net",
"pksproddatastoreeus102.blob.core.windows.net",
"pksproddatastoreeus103.blob.core.windows.net",
"pksproddatastoreeus104.blob.core.windows.net",
"pksproddatastoreeus105.blob.core.windows.net",
"pksproddatastoreeus106.blob.core.windows.net",
"pksproddatastoreeus107.blob.core.windows.net",
"pksproddatastoreeus108.blob.core.windows.net",
"pksproddatastoreeus109.blob.core.windows.net",
"pksproddatastoreeus111.blob.core.windows.net",
"pksproddatastoreeus112.blob.core.windows.net",
"pksproddatastoreeus113.blob.core.windows.net",
"pksproddatastoreeus114.blob.core.windows.net",
"pksproddatastoreeus115.blob.core.windows.net",
"pksproddatastoreeus116.blob.core.windows.net",
"pksproddatastoreeus117.blob.core.windows.net",
"pksproddatastoreeus118.blob.core.windows.net",
"pksproddatastoreeus119.blob.core.windows.net",
"pksproddatastoreeus120.blob.core.windows.net",
"pksproddatastorencu101.blob.core.windows.net",
"pksproddatastorencu102.blob.core.windows.net",
"pksproddatastorencu103.blob.core.windows.net",
"pksproddatastorencu104.blob.core.windows.net",
"pksproddatastoreneu101.blob.core.windows.net",
"pksproddatastoreneu102.blob.core.windows.net",
"pksproddatastoreneu103.blob.core.windows.net",
"pksproddatastoreneu104.blob.core.windows.net",
"pksproddatastoreneu105.blob.core.windows.net",
"pksproddatastoreneu106.blob.core.windows.net",
"pksproddatastoreneu107.blob.core.windows.net",
"pksproddatastoreneu108.blob.core.windows.net",
"pksproddatastoreneu109.blob.core.windows.net",
"pksproddatastoreneu110.blob.core.windows.net",
"pksproddatastoreneu111.blob.core.windows.net",
"pksproddatastoreneu112.blob.core.windows.net",
"pksproddatastoreneu113.blob.core.windows.net",
"pksproddatastoreneu114.blob.core.windows.net",
"pksproddatastoreneu115.blob.core.windows.net",
"pksproddatastoreneu116.blob.core.windows.net",
"pksproddatastoreneu117.blob.core.windows.net",
"pksproddatastoreneu118.blob.core.windows.net",
"pksproddatastoreneu119.blob.core.windows.net",
"pksproddatastoreneu120.blob.core.windows.net",
"pksproddatastoreweu101.blob.core.windows.net",
"pksproddatastoreweu102.blob.core.windows.net",
"pksproddatastoreweu103.blob.core.windows.net",
"pksproddatastoreweu104.blob.core.windows.net",
"pksproddatastoreweu105.blob.core.windows.net",
"pksproddatastoreweu106.blob.core.windows.net",
"pksproddatastoreweu107.blob.core.windows.net",
"pksproddatastoreweu108.blob.core.windows.net",
"pksproddatastoreweu109.blob.core.windows.net",
"pksproddatastoreweu110.blob.core.windows.net",
"pksproddatastoreweu111.blob.core.windows.net",
"pksproddatastoreweu112.blob.core.windows.net",
"pksproddatastoreweu113.blob.core.windows.net",
"pksproddatastoreweu114.blob.core.windows.net",
"pksproddatastoreweu115.blob.core.windows.net",
"pksproddatastoreweu116.blob.core.windows.net",
"pksproddatastoreweu117.blob.core.windows.net",
"pksproddatastoreweu118.blob.core.windows.net",
"pksproddatastoreweu119.blob.core.windows.net",
"pksproddatastoreweu120.blob.core.windows.net",
"pksproddatastorewus101.blob.core.windows.net",
"pksproddatastorewus102.blob.core.windows.net",
"pksproddatastorewus103.blob.core.windows.net",
"pksproddatastorewus104.blob.core.windows.net",
"pksproddatastorewus105.blob.core.windows.net",
"pksproddatastorewus106.blob.core.windows.net",
"pksproddatastorewus107.blob.core.windows.net",
"pksproddatastorewus108.blob.core.windows.net",
"pksproddatastorewus109.blob.core.windows.net",
"pksproddatastorewus111.blob.core.windows.net",
"pksproddatastorewus112.blob.core.windows.net",
"pksproddatastorewus113.blob.core.windows.net",
"pksproddatastorewus114.blob.core.windows.net",
"pksproddatastorewus115.blob.core.windows.net",
"pksproddatastorewus116.blob.core.windows.net",
"pksproddatastorewus117.blob.core.windows.net",
"pksproddatastorewus118.blob.core.windows.net",
"pksproddatastorewus119.blob.core.windows.net",
"pksproddatastorewus120.blob.core.windows.net",
"s1.adhybridhealth.azure.com",
"umwatson.events.data.microsoft.com",
"v10.events.data.microsoft.com",
Expand All @@ -191,16 +118,8 @@
"fqdnTags": [],
"targetFqdns": [
"*-sb.servicebus.windows.net",
"passwordreset.microsoftonline.com",
"ssprdedicatedsbprodeus2-1.servicebus.windows.net",
"ssprdedicatedsbprodfra-1.servicebus.windows.net",
"ssprdedicatedsbprodncu-2.servicebus.windows.net",
"ssprdedicatedsbprodncu.servicebus.windows.net",
"ssprdedicatedsbprodneu.servicebus.windows.net",
"ssprdedicatedsbprodscu-2.servicebus.windows.net",
"ssprdedicatedsbprodscu.servicebus.windows.net",
"ssprdedicatedsbprodsea-1.servicebus.windows.net",
"ssprdedicatedsbprodweu.servicebus.windows.net"
"*.servicebus.windows.net",
"passwordreset.microsoftonline.com"
],
"sourceAddresses": [
"{{network.vnet.subnets.identity.cidr}}"
Expand Down Expand Up @@ -239,34 +158,6 @@
"{{network.vnet.subnets.identity.cidr}}"
]
},
{
"name": "AllowExternalAzureAutomationOperations",
"protocols": [
"HTTPS:443"
],
"fqdnTags": [],
"targetFqdns": [
"ac-jobruntimedata-prod-su1.azure-automation.net",
"ae-jobruntimedata-prod-su1.azure-automation.net",
"ase-jobruntimedata-prod-su1.azure-automation.net",
"cc-jobruntimedata-prod-su1.azure-automation.net",
"cid-jobruntimedata-prod-su1.azure-automation.net",
"eus2-jobruntimedata-prod-su1.azure-automation.net",
"jpe-jobruntimedata-prod-su1.azure-automation.net",
"ne-jobruntimedata-prod-su1.azure-automation.net",
"scus-jobruntimedata-prod-su1.azure-automation.net",
"sea-jobruntimedata-prod-su1.azure-automation.net",
"stzn-jobruntimedata-prod-su1.azure-automation.net",
"uks-jobruntimedata-prod-su1.azure-automation.net",
"usge-jobruntimedata-prod-su1.azure-automation.us",
"wcus-jobruntimedata-prod-su1.azure-automation.net",
"we-jobruntimedata-prod-su1.azure-automation.net",
"wus2-jobruntimedata-prod-su1.azure-automation.net"
],
"sourceAddresses": [
"*"
]
},
{
"name": "AllowExternalAzureMFAConnectOperations",
"protocols": [
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -203,11 +203,7 @@
"name": "AllowAzureAutomationOutbound",
"access": "Allow",
"description": "Allow outbound connections to Azure automation servers",
"destinationAddressPrefix": [
{{#monitoring.updateServers.externalIpAddresses.azureAutomation}}
"{{.}}",
{{/monitoring.updateServers.externalIpAddresses.azureAutomation}}
],
"destinationAddressPrefix": "GuestAndHybridManagement",
"destinationPortRange": ["443"],
"direction": "Outbound",
"priority": 3800,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -115,11 +115,7 @@
"name": "AllowAzureAutomationOutbound",
"access": "Allow",
"description": "Allow outbound connections to Azure automation servers",
"destinationAddressPrefix": [
{{#monitoring.updateServers.externalIpAddresses.azureAutomation}}
"{{.}}",
{{/monitoring.updateServers.externalIpAddresses.azureAutomation}}
],
"destinationAddressPrefix": "GuestAndHybridManagement",
"destinationPortRange": ["443"],
"direction": "Outbound",
"priority": 3800,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -115,11 +115,7 @@
"name": "AllowAzureAutomationOutbound",
"access": "Allow",
"description": "Allow outbound connections to Azure automation servers",
"destinationAddressPrefix": [
{{#monitoring.updateServers.externalIpAddresses.azureAutomation}}
"{{.}}",
{{/monitoring.updateServers.externalIpAddresses.azureAutomation}}
],
"destinationAddressPrefix": "GuestAndHybridManagement",
"destinationPortRange": ["443"],
"direction": "Outbound",
"priority": 3800,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -115,11 +115,7 @@
"name": "AllowAzureAutomationOutbound",
"access": "Allow",
"description": "Allow outbound connections to Azure automation servers",
"destinationAddressPrefix": [
{{#monitoring.updateServers.externalIpAddresses.azureAutomation}}
"{{.}}",
{{/monitoring.updateServers.externalIpAddresses.azureAutomation}}
],
"destinationAddressPrefix": "GuestAndHybridManagement",
"destinationPortRange": ["443"],
"direction": "Outbound",
"priority": 3800,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -115,11 +115,7 @@
"name": "AllowAzureAutomationOutbound",
"access": "Allow",
"description": "Allow outbound connections to Azure automation servers",
"destinationAddressPrefix": [
{{#monitoring.updateServers.externalIpAddresses.azureAutomation}}
"{{.}}",
{{/monitoring.updateServers.externalIpAddresses.azureAutomation}}
],
"destinationAddressPrefix": "GuestAndHybridManagement",
"destinationPortRange": ["443"],
"direction": "Outbound",
"priority": 3800,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -115,11 +115,7 @@
"name": "AllowAzureAutomationOutbound",
"access": "Allow",
"description": "Allow outbound connections to Azure automation servers",
"destinationAddressPrefix": [
{{#monitoring.updateServers.externalIpAddresses.azureAutomation}}
"{{.}}",
{{/monitoring.updateServers.externalIpAddresses.azureAutomation}}
],
"destinationAddressPrefix": "GuestAndHybridManagement",
"destinationPortRange": ["443"],
"direction": "Outbound",
"priority": 3800,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -115,11 +115,7 @@
"name": "AllowAzureAutomationOutbound",
"access": "Allow",
"description": "Allow outbound connections to Azure automation servers",
"destinationAddressPrefix": [
{{#monitoring.updateServers.externalIpAddresses.azureAutomation}}
"{{.}}",
{{/monitoring.updateServers.externalIpAddresses.azureAutomation}}
],
"destinationAddressPrefix": "GuestAndHybridManagement",
"destinationPortRange": ["443"],
"direction": "Outbound",
"priority": 3800,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -95,11 +95,7 @@
"name": "AllowAzureAutomationOutbound",
"access": "Allow",
"description": "Allow outbound connections to Azure automation servers",
"destinationAddressPrefix": [
{{#monitoring.updateServers.externalIpAddresses.azureAutomation}}
"{{.}}",
{{/monitoring.updateServers.externalIpAddresses.azureAutomation}}
],
"destinationAddressPrefix": "GuestAndHybridManagement",
"destinationPortRange": ["443"],
"direction": "Outbound",
"priority": 3800,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -197,11 +197,7 @@
"name": "AllowAzureAutomationOutbound",
"access": "Allow",
"description": "Allow outbound connections to Azure automation servers",
"destinationAddressPrefix": [
{{#shm.monitoring.updateServers.externalIpAddresses.azureAutomation}}
"{{.}}",
{{/shm.monitoring.updateServers.externalIpAddresses.azureAutomation}}
],
"destinationAddressPrefix": "GuestAndHybridManagement",
"destinationPortRange": ["443"],
"direction": "Outbound",
"priority": 3800,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -149,11 +149,7 @@
"name": "AllowAzureAutomationOutbound",
"access": "Allow",
"description": "Allow outbound connections to Azure automation servers",
"destinationAddressPrefix": [
{{#shm.monitoring.updateServers.externalIpAddresses.azureAutomation}}
"{{.}}",
{{/shm.monitoring.updateServers.externalIpAddresses.azureAutomation}}
],
"destinationAddressPrefix": "GuestAndHybridManagement",
"destinationPortRange": ["443"],
"direction": "Outbound",
"priority": 3800,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -143,11 +143,7 @@
"name": "AllowAzureAutomationOutbound",
"access": "Allow",
"description": "Allow outbound connections to Azure automation servers",
"destinationAddressPrefix": [
{{#shm.monitoring.updateServers.externalIpAddresses.azureAutomation}}
"{{.}}",
{{/shm.monitoring.updateServers.externalIpAddresses.azureAutomation}}
],
"destinationAddressPrefix": "GuestAndHybridManagement",
"destinationPortRange": ["443"],
"direction": "Outbound",
"priority": 3800,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -115,11 +115,7 @@
"name": "AllowAzureAutomationOutbound",
"access": "Allow",
"description": "Allow outbound connections to Azure automation servers",
"destinationAddressPrefix": [
{{#shm.monitoring.updateServers.externalIpAddresses.azureAutomation}}
"{{.}}",
{{/shm.monitoring.updateServers.externalIpAddresses.azureAutomation}}
],
"destinationAddressPrefix": "GuestAndHybridManagement",
"destinationPortRange": ["443"],
"direction": "Outbound",
"priority": 3800,
Expand Down
Loading

0 comments on commit e401efa

Please sign in to comment.