Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow traffic between spokes by default #622

Merged
merged 12 commits into from
Jan 27, 2022
Merged

Allow traffic between spokes by default #622

merged 12 commits into from
Jan 27, 2022

Conversation

Breanna-Stryker
Copy link
Contributor

Description

Changes include:
Allowing forwarded traffic by default
NSG allows traffic from peer spoke CIDR ranges
Firewall includes supernet rule to route traffic between spokes
Supernet parameter added for ease of use for end users

To test functionality, deploy MLZ, create VMs in two separate spokes, bastion into one and ping/ssh into the other VM.

Issue reference

The issue this PR will close: #608

Checklist

Please make sure you've completed the relevant tasks for this PR out of the following list:

  • All acceptance criteria in the backlog item are met
  • The documentation is updated to cover any new or changed features
  • Manual tests have passed
  • Relevant issues are linked to this PR

@Breanna-Stryker Breanna-Stryker requested a review from a team January 27, 2022 18:53
@glennmusa glennmusa self-requested a review January 27, 2022 19:00
@glennmusa glennmusa self-assigned this Jan 27, 2022
glennmusa
glennmusa suggested changes Jan 27, 2022
View reviewed changes
Copy link
Contributor

@glennmusa glennmusa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some naming nits

src/bicep/mlz.bicep Outdated Show resolved Hide resolved
src/bicep/modules/firewall.bicep Outdated Show resolved Hide resolved
src/bicep/modules/firewall.bicep Outdated Show resolved Hide resolved
Breanna-Stryker and others added 6 commits January 27, 2022 16:08
@Breanna-Stryker @glennmusa
Update src/bicep/mlz.bicep
0b4c006 
Co-authored-by: Glenn Musa <4622125+glennmusa@users.noreply.github.com>
@Breanna-Stryker @glennmusa
Update src/bicep/modules/firewall.bicep
471ef3c 
Co-authored-by: Glenn Musa <4622125+glennmusa@users.noreply.github.com>
@Breanna-Stryker @glennmusa
Update src/bicep/modules/firewall.bicep
75ce313 
Co-authored-by: Glenn Musa <4622125+glennmusa@users.noreply.github.com>
GitHub Action: Build Bicep to JSON
857130e
Set port ranges
ef9eae8
GitHub Action: Build Bicep to JSON
c4038ad
glennmusa
glennmusa approved these changes Jan 27, 2022
View reviewed changes
Copy link
Contributor

@glennmusa glennmusa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works as described. I was able to Bastion into a hub jumpbox, then SSH into a VM in the Identity VNet, then from there SSH into a VM in the Operations VNet.

@glennmusa glennmusa merged commit 568c676 into main Jan 27, 2022
@glennmusa glennmusa deleted the breestryker/spoketraffic branch January 27, 2022 22:44
@glennmusa glennmusa mentioned this pull request Jan 28, 2022
Merged
4 tasks
haithamshahin333
haithamshahin333 reviewed Feb 3, 2023
View reviewed changes
src/bicep/modules/firewall.bicep
]
sourceIpGroups: []
destinationAddresses: [
'*'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shoud this be the suprnetIpAddress range versus '*'? I believe right now this would technically allow all outbound traffic from the spokes, no?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My thoughts exactly - this change allows all traffic within the VNets to access any address, including external, which breaks the "all other traffic is restricted by default" statement in https://github.com/Azure/missionlz/blob/main/README.md
@glennmusa @haithamshahin333 this looks like an unintended consequence of this change.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tagging @kyle-hoyer on this

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does need to be changed. I will update. Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Naishy Naishy Naishy left review comments

@kyle-hoyer kyle-hoyer kyle-hoyer left review comments

@haithamshahin333 haithamshahin333 haithamshahin333 left review comments

@brooke-hamilton brooke-hamilton brooke-hamilton left review comments

@glennmusa glennmusa glennmusa approved these changes

Assignees

@glennmusa glennmusa

Labels
None yet
Projects
No open projects
Mission Landing Zone 2022
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow traffic between spokes by default
6 participants
@Breanna-Stryker @Naishy @glennmusa @kyle-hoyer @haithamshahin333 @brooke-hamilton