Skip to content

[ARO-21136] add network security perimeter to some resources #4396

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[ARO-21136] add network security perimeter to some resources #4396

wants to merge 1 commit into from

Conversation

@mrWinston
Copy link
Collaborator

@mrWinston mrWinston commented Sep 22, 2025
edited
Loading

Which issue this PR addresses:

Fixes: https://issues.redhat.com/browse/ARO-21136

What this PR does / why we need it:

  • Add Network Security Perimeters to CosmosDBs, Keyvaults and StoageAccounts having public access enabled
  • required by security wave 5
  • NSPs are in "Learning" mode, meaning they don't perform any filtering but enable us to monitor connections to these resources
  • update armnetwork to v7 for some files for the nsp support

Resources affected:

  • aro--gwy
  • aro--por
  • aro--svc
  • aro--cls
  • aro--cosmosdb

Test plan for issue:

  • Deploy and Test in Int
  • [ ] Deploy and Test in Canary Canary deployment will be run together with the associated sdp-pipelines and ARO-Pipelines release.

@mrWinston mrWinston changed the title [ARO-20791] add network security perimeter to some resources [ARO-21136] add network security perimeter to some resources Sep 22, 2025
@github-actions github-actions bot added the needs-rebase branch needs a rebase label Oct 1, 2025
@github-actions
Copy link

github-actions bot commented Oct 1, 2025

Please rebase pull request.

@mrWinston mrWinston marked this pull request as ready for review October 8, 2025 13:07
@github-actions github-actions bot removed the needs-rebase branch needs a rebase label Oct 8, 2025
aasserzo
aasserzo reviewed Oct 8, 2025
View reviewed changes
@aasserzo
Copy link
Collaborator

aasserzo commented Oct 8, 2025

LGTM

@mociarain
Copy link
Member

mociarain commented Oct 9, 2025

How did you validate these in INT? Do they result in something in the portal we can see?

@mrWinston
Copy link
Collaborator Author

mrWinston commented Oct 9, 2025

How did you validate these in INT? Do they result in something in the portal we can see?

I validated it by running the RP deployment in int and then checking the int subscription to see if the NSPs were created and if the resources had been assigned correctly. Which they were. Additionally, the compliance dashboard showed the associated alerts as being resolved.

@mociarain
Copy link
Member

mociarain commented Oct 15, 2025

I think you can just push an empty commit to make this check run.

git commit --amend --no-edit;
git push --force-with-lease

alcasim
alcasim reviewed Oct 15, 2025
View reviewed changes
pkg/deploy/generator/resources.go
return &arm.Resource{
Resource: &armnetwork.NspAssociation{
Properties: &armnetwork.NspAssociationProperties{
AccessMode: pointerutils.ToPtr(armnetwork.AssociationAccessModeLearning),
Copy link
Collaborator

@alcasim alcasim Oct 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor: if some day we want to move this to enforce or audit... would it be worth to have it as a func parameter? I like how clean looks right now, so it's not a deal breaker.

alcasim
alcasim reviewed Oct 15, 2025
View reviewed changes
pkg/deploy/generator/resources.go
}
}

// networkSecurityPerimeterProfile creates a new nsp profile with the hardcoded name `default`.
Copy link
Collaborator

@alcasim alcasim Oct 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reading the code, this func creates a resource with name nspname/default which is not exactly "hardcoded default".

alcasim
alcasim reviewed Oct 15, 2025
View reviewed changes
pkg/deploy/generator/resources_rp.go
cosmosNSPProfile := g.networkSecurityPerimeterProfile("cosmos-nsp")
cosmosNSPAssociation := g.networkSecurityPerimeterAssociation("cosmos-nsp", "cosmos-nsp-association", "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]")

rs = append(rs, cosmosNSP, cosmosNSPProfile, cosmosNSPAssociation)
Copy link
Collaborator

@alcasim alcasim Oct 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to this https://learn.microsoft.com/en-us/azure/private-link/network-security-perimeter-concepts#onboarded-private-link-resources Cosmos DB is not GA, but on "Public Preview"... will it work in all of our regions?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alcasim alcasim alcasim left review comments

@aasserzo aasserzo aasserzo left review comments

@bennerv bennerv Awaiting requested review from bennerv bennerv is a code owner

@hawkowl hawkowl Awaiting requested review from hawkowl hawkowl is a code owner

@rogbas rogbas Awaiting requested review from rogbas rogbas is a code owner

@jharrington22 jharrington22 Awaiting requested review from jharrington22 jharrington22 is a code owner

@cadenmarchese cadenmarchese Awaiting requested review from cadenmarchese cadenmarchese is a code owner

@yjst2012 yjst2012 Awaiting requested review from yjst2012 yjst2012 is a code owner

@jaitaiwan jaitaiwan Awaiting requested review from jaitaiwan

@hlipsig hlipsig Awaiting requested review from hlipsig hlipsig is a code owner

@tiguelu tiguelu Awaiting requested review from tiguelu tiguelu is a code owner

@mociarain mociarain Awaiting requested review from mociarain mociarain is a code owner

@kimorris27 kimorris27 Awaiting requested review from kimorris27 kimorris27 is a code owner

@tsatam tsatam Awaiting requested review from tsatam tsatam is a code owner

@fahlmant fahlmant Awaiting requested review from fahlmant fahlmant is a code owner

@sankur-codes sankur-codes Awaiting requested review from sankur-codes sankur-codes is a code owner

@wanghaoran1988 wanghaoran1988 Awaiting requested review from wanghaoran1988 wanghaoran1988 is a code owner

@pepedocs pepedocs Awaiting requested review from pepedocs pepedocs is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mrWinston @aasserzo @mociarain @alcasim