Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict NACL rules for backend VPC #487

Closed
dlpzx opened this issue May 31, 2023 · 2 comments · Fixed by #543
Closed

Restrict NACL rules for backend VPC #487

dlpzx opened this issue May 31, 2023 · 2 comments · Fixed by #543
Assignees
@noah-paige
Labels
priority: high type: enhancement Feature enhacement

Comments

@dlpzx
Copy link
Contributor

dlpzx commented May 31, 2023

Current VPC deployed by data.all defines inbound and outbound rules open to all traffic.
What we would like is to have the rules defined as restrictive as possible, allowing only the needed traffic.
@dlpzx dlpzx added type: enhancement Feature enhacement status: in-progress This issue has been picked and is being implemented priority: high labels May 31, 2023
@noah-paige noah-paige self-assigned this Jun 6, 2023
@noah-paige noah-paige mentioned this issue Jun 6, 2023
Closed
@noah-paige noah-paige linked a pull request Jun 6, 2023 that will close this issue
feat: fine-grained nacls for backend vpc creation #503
Closed
@dlpzx
Copy link
Contributor Author

dlpzx commented Jun 7, 2023

After testing the solution, I was able to confirm that data.all works correctly with the following NACL rules:
image

image

In addition we need to modify STS boto3 calls because for global VPC endpoints without the region it is not possible to resolve it (related to #144)

            sts = base_session.client(
                'sts',
                config=Config(user_agent_extra=f'{__pkg_name__}/{__version__}'),
                region_name=region,
                endpoint_url=f"https://sts.{region}.amazonaws.com"
            )

@noah-paige noah-paige mentioned this issue Jun 30, 2023
Merged
@noah-paige noah-paige linked a pull request Jun 30, 2023 that will close this issue
feat: fine-grained nacls for backend vpc creation #543
Merged
dlpzx added a commit that referenced this issue Jul 11, 2023
@noah-paige @chamcca
@dlpzx @nikpodsh
feat: fine-grained nacls for backend vpc creation (#543)
1465c62 
### Feature or Bugfix
- Feature


### Detail
- Replace NACL Rules on VPC Subnet with individual security groups
defined for the backend VPC as restrictive as possible, allowing only
the needed traffic.


### Relates
- #487 

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

---------

Co-authored-by: chamcca <40579012+chamcca@users.noreply.github.com>
Co-authored-by: dlpzx <71252798+dlpzx@users.noreply.github.com>
Co-authored-by: Nikita Podshivalov <nikpodsh@amazon.com>
@noah-paige
Copy link
Contributor

Implemented as part of v1.6

@noah-paige noah-paige removed the status: in-progress This issue has been picked and is being implemented label Jul 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@noah-paige noah-paige

Labels
priority: high type: enhancement Feature enhacement
Projects
None yet
Milestone
No milestone
2 participants
@noah-paige @dlpzx