Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support "Internet" as a valid IP address in the config file #2229

Closed
5 tasks
jemrobinson opened this issue Oct 7, 2024 · 4 comments · Fixed by #2233
Closed
5 tasks

Support "Internet" as a valid IP address in the config file #2229

jemrobinson opened this issue Oct 7, 2024 · 4 comments · Fixed by #2233
Assignees
@JimMadge
Labels
enhancement New functionality that should be added to the Safe Haven
Milestone
Release 5.0.1

Comments

@jemrobinson
Copy link
Member

jemrobinson commented Oct 7, 2024
edited
Loading

✅ Checklist

  • I have searched open and closed issues for duplicates.
  • This is a request for a new feature in the Data Safe Haven or an upgrade to an existing feature.
  • The feature is still missing in the latest version.
  • I have read through the documentation.
  • This isn't an open-ended question (open a discussion if it is).

🍓 Suggested change

Support "Internet" as a valid IP address in the config file

🚂 How could this be done?
@jemrobinson jemrobinson added the enhancement New functionality that should be added to the Safe Haven label Oct 7, 2024
@jemrobinson jemrobinson added this to the Release 5.0.1 milestone Oct 7, 2024
@JimMadge
Copy link
Member

JimMadge commented Oct 8, 2024

@jemrobinson You've made an infinite loop 🤯

@JimMadge
Copy link
Member

JimMadge commented Oct 8, 2024

As the config values are parsed as IP ranges, can we use something like * or 0.0.0.0/0?

@JimMadge
Copy link
Member

For the user IP address ranges,

data-safe-haven/data_safe_haven/infrastructure/programs/declarative_sre.py

Lines 144 to 163 in eede40f

# Deploy networking
networking = SRENetworkingComponent(
"sre_networking",
self.stack_name,
SRENetworkingProps(
dns_private_zones=dns.private_zones,
dns_server_ip=dns.ip_address,
dns_virtual_network=dns.virtual_network,
location=self.config.azure.location,
resource_group_name=resource_group.name,
shm_fqdn=shm_fqdn,
shm_location=shm_location,
shm_resource_group_name=self.context.resource_group_name,
shm_subscription_id=shm_subscription_id,
shm_zone_name=shm_fqdn,
sre_name=self.config.name,
user_public_ip_ranges=self.config.sre.research_user_ip_addresses,
),
tags=self.tags,
)

data-safe-haven/data_safe_haven/infrastructure/programs/sre/networking.py

Lines 119 to 130 in eede40f

network.SecurityRuleArgs(
access=network.SecurityRuleAccess.ALLOW,
description="Allow inbound connections from users over the internet.",
destination_address_prefix=SREIpRanges.application_gateway.prefix,
destination_port_ranges=[Ports.HTTP, Ports.HTTPS],
direction=network.SecurityRuleDirection.INBOUND,
name="AllowUsersInternetInbound",
priority=NetworkingPriorities.AUTHORISED_EXTERNAL_USER_IPS,
protocol=network.SecurityRuleProtocol.TCP,
source_address_prefixes=props.user_public_ip_ranges,
source_port_range="*",
),

The Pulumi Azure Native parameter source_address_prefixes should accept IP addresses, CIDR ranges, '*' and Azure tags.

Our config validation will reject anything but IPV4 addresses or IPV4 address ranges.

@JimMadge
Copy link
Member

0.0.0.0/0 works, but that may be more permissive than we would want.

@JimMadge JimMadge mentioned this issue Oct 10, 2024
Merged
3 tasks
@JimMadge JimMadge self-assigned this Oct 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JimMadge JimMadge

Labels
enhancement New functionality that should be added to the Safe Haven
Projects
None yet
Milestone
Release 5.0.1
Development

Successfully merging a pull request may close this issue.

Add internet alan-turing-institute/data-safe-haven
2 participants
@jemrobinson @JimMadge