Merge pull request #1781 from craddm/update-network-rules

jemrobinson · web-flow · commit 64eea3d6c6fb · 2024-04-15T11:54:35.000+01:00
Update firewall rules to parity with 4.2.0
diff --git a/data_safe_haven/infrastructure/stacks/shm/firewall.py b/data_safe_haven/infrastructure/stacks/shm/firewall.py
@@ -115,96 +115,14 @@ def __init__(
                             ],
                             source_addresses=[props.subnet_identity_servers_iprange],
                             target_fqdns=[
+                                "*.blob.core.windows.net",
+                                "*.servicebus.windows.net",
                                 "aadconnecthealth.azure.com",
-                                "adhsprodncuaadsynciadata.blob.core.windows.net",
-                                "adhsprodwcuaadsynciadata.blob.core.windows.net",
-                                "adhsprodweuaadsynciadata.blob.core.windows.net",
-                                "adhsprodweuehsyncia.servicebus.windows.net",
-                                "adhsprodwusaadsynciadata.blob.core.windows.net",
-                                "adhssyncprodpksweu.servicebus.windows.net",
                                 "adminwebservice.microsoftonline.com",
-                                "pksproddatastoreeus101.blob.core.windows.net",
-                                "pksproddatastoreeus102.blob.core.windows.net",
-                                "pksproddatastoreeus103.blob.core.windows.net",
-                                "pksproddatastoreeus104.blob.core.windows.net",
-                                "pksproddatastoreeus105.blob.core.windows.net",
-                                "pksproddatastoreeus106.blob.core.windows.net",
-                                "pksproddatastoreeus107.blob.core.windows.net",
-                                "pksproddatastoreeus108.blob.core.windows.net",
-                                "pksproddatastoreeus109.blob.core.windows.net",
-                                "pksproddatastoreeus111.blob.core.windows.net",
-                                "pksproddatastoreeus112.blob.core.windows.net",
-                                "pksproddatastoreeus113.blob.core.windows.net",
-                                "pksproddatastoreeus114.blob.core.windows.net",
-                                "pksproddatastoreeus115.blob.core.windows.net",
-                                "pksproddatastoreeus116.blob.core.windows.net",
-                                "pksproddatastoreeus117.blob.core.windows.net",
-                                "pksproddatastoreeus118.blob.core.windows.net",
-                                "pksproddatastoreeus119.blob.core.windows.net",
-                                "pksproddatastoreeus120.blob.core.windows.net",
-                                "pksproddatastorencu101.blob.core.windows.net",
-                                "pksproddatastorencu102.blob.core.windows.net",
-                                "pksproddatastorencu103.blob.core.windows.net",
-                                "pksproddatastorencu104.blob.core.windows.net",
-                                "pksproddatastoreneu101.blob.core.windows.net",
-                                "pksproddatastoreneu102.blob.core.windows.net",
-                                "pksproddatastoreneu103.blob.core.windows.net",
-                                "pksproddatastoreneu104.blob.core.windows.net",
-                                "pksproddatastoreneu105.blob.core.windows.net",
-                                "pksproddatastoreneu106.blob.core.windows.net",
-                                "pksproddatastoreneu107.blob.core.windows.net",
-                                "pksproddatastoreneu108.blob.core.windows.net",
-                                "pksproddatastoreneu109.blob.core.windows.net",
-                                "pksproddatastoreneu110.blob.core.windows.net",
-                                "pksproddatastoreneu111.blob.core.windows.net",
-                                "pksproddatastoreneu112.blob.core.windows.net",
-                                "pksproddatastoreneu113.blob.core.windows.net",
-                                "pksproddatastoreneu114.blob.core.windows.net",
-                                "pksproddatastoreneu115.blob.core.windows.net",
-                                "pksproddatastoreneu116.blob.core.windows.net",
-                                "pksproddatastoreneu117.blob.core.windows.net",
-                                "pksproddatastoreneu118.blob.core.windows.net",
-                                "pksproddatastoreneu119.blob.core.windows.net",
-                                "pksproddatastoreneu120.blob.core.windows.net",
-                                "pksproddatastoreweu101.blob.core.windows.net",
-                                "pksproddatastoreweu102.blob.core.windows.net",
-                                "pksproddatastoreweu103.blob.core.windows.net",
-                                "pksproddatastoreweu104.blob.core.windows.net",
-                                "pksproddatastoreweu105.blob.core.windows.net",
-                                "pksproddatastoreweu106.blob.core.windows.net",
-                                "pksproddatastoreweu107.blob.core.windows.net",
-                                "pksproddatastoreweu108.blob.core.windows.net",
-                                "pksproddatastoreweu109.blob.core.windows.net",
-                                "pksproddatastoreweu110.blob.core.windows.net",
-                                "pksproddatastoreweu111.blob.core.windows.net",
-                                "pksproddatastoreweu112.blob.core.windows.net",
-                                "pksproddatastoreweu113.blob.core.windows.net",
-                                "pksproddatastoreweu114.blob.core.windows.net",
-                                "pksproddatastoreweu115.blob.core.windows.net",
-                                "pksproddatastoreweu116.blob.core.windows.net",
-                                "pksproddatastoreweu117.blob.core.windows.net",
-                                "pksproddatastoreweu118.blob.core.windows.net",
-                                "pksproddatastoreweu119.blob.core.windows.net",
-                                "pksproddatastoreweu120.blob.core.windows.net",
-                                "pksproddatastorewus101.blob.core.windows.net",
-                                "pksproddatastorewus102.blob.core.windows.net",
-                                "pksproddatastorewus103.blob.core.windows.net",
-                                "pksproddatastorewus104.blob.core.windows.net",
-                                "pksproddatastorewus105.blob.core.windows.net",
-                                "pksproddatastorewus106.blob.core.windows.net",
-                                "pksproddatastorewus107.blob.core.windows.net",
-                                "pksproddatastorewus108.blob.core.windows.net",
-                                "pksproddatastorewus109.blob.core.windows.net",
-                                "pksproddatastorewus111.blob.core.windows.net",
-                                "pksproddatastorewus112.blob.core.windows.net",
-                                "pksproddatastorewus113.blob.core.windows.net",
-                                "pksproddatastorewus114.blob.core.windows.net",
-                                "pksproddatastorewus115.blob.core.windows.net",
-                                "pksproddatastorewus116.blob.core.windows.net",
-                                "pksproddatastorewus117.blob.core.windows.net",
-                                "pksproddatastorewus118.blob.core.windows.net",
-                                "pksproddatastorewus119.blob.core.windows.net",
-                                "pksproddatastorewus120.blob.core.windows.net",
+                                "s1.adhybridhealth.azure.com",
+                                "umwatson.events.data.microsoft.com",
+                                "v10.events.data.microsoft.com",
+                                "v20.events.data.microsoft.com",
                             ],
                         ),
                         network.AzureFirewallApplicationRuleArgs(
@@ -219,16 +137,8 @@ def __init__(
                             source_addresses=[props.subnet_identity_servers_iprange],
                             target_fqdns=[
                                 "*-sb.servicebus.windows.net",
+                                "*.servicebus.windows.net",
                                 "passwordreset.microsoftonline.com",
-                                "ssprdedicatedsbprodeus2-1.servicebus.windows.net",
-                                "ssprdedicatedsbprodfra-1.servicebus.windows.net",
-                                "ssprdedicatedsbprodncu-2.servicebus.windows.net",
-                                "ssprdedicatedsbprodncu.servicebus.windows.net",
-                                "ssprdedicatedsbprodneu.servicebus.windows.net",
-                                "ssprdedicatedsbprodscu-2.servicebus.windows.net",
-                                "ssprdedicatedsbprodscu.servicebus.windows.net",
-                                "ssprdedicatedsbprodsea-1.servicebus.windows.net",
-                                "ssprdedicatedsbprodweu.servicebus.windows.net",
                             ],
                         ),
                         network.AzureFirewallApplicationRuleArgs(
@@ -245,7 +155,6 @@ def __init__(
                                 "s1.adhybridhealth.azure.com",
                                 "management.azure.com",
                                 "policykeyservice.dc.ad.msft.net",
-                                "provisioningapi.microsoftonline.com",
                                 "www.office.com",
                             ],
                         ),
@@ -404,29 +313,12 @@ def __init__(
                             description="Allow external Azure Automation requests",
                             name="AllowExternalAzureAutomationOperations",
                             protocols=[
-                                network.AzureFirewallApplicationRuleProtocolArgs(
-                                    port=443,
-                                    protocol_type="Https",
-                                )
+                                network.AzureFirewallNetworkRuleProtocol.TCP,
+                                network.AzureFirewallNetworkRuleProtocol.UDP,
                             ],
                             source_addresses=["*"],
                             target_fqdns=[
-                                "ac-jobruntimedata-prod-su1.azure-automation.net",
-                                "ae-jobruntimedata-prod-su1.azure-automation.net",
-                                "ase-jobruntimedata-prod-su1.azure-automation.net",
-                                "cc-jobruntimedata-prod-su1.azure-automation.net",
-                                "cid-jobruntimedata-prod-su1.azure-automation.net",
-                                "eus2-jobruntimedata-prod-su1.azure-automation.net",
-                                "jpe-jobruntimedata-prod-su1.azure-automation.net",
-                                "ne-jobruntimedata-prod-su1.azure-automation.net",
-                                "scus-jobruntimedata-prod-su1.azure-automation.net",
-                                "sea-jobruntimedata-prod-su1.azure-automation.net",
-                                "stzn-jobruntimedata-prod-su1.azure-automation.net",
-                                "uks-jobruntimedata-prod-su1.azure-automation.net",
-                                "usge-jobruntimedata-prod-su1.azure-automation.us",
-                                "wcus-jobruntimedata-prod-su1.azure-automation.net",
-                                "we-jobruntimedata-prod-su1.azure-automation.net",
-                                "wus2-jobruntimedata-prod-su1.azure-automation.net",
+                                "GuestAndHybridManagement",
                             ],
                         ),
                         network.AzureFirewallApplicationRuleArgs(
@@ -463,12 +355,18 @@ def __init__(
                             ],
                             source_addresses=[props.subnet_update_servers_iprange],
                             target_fqdns=[
+                                # "apt.postgresql.org",
                                 "archive.ubuntu.com",
                                 "azure.archive.ubuntu.com",
                                 "changelogs.ubuntu.com",
                                 "cloudapp.azure.com",  # this is where azure.archive.ubuntu.com is hosted
+                                # "d20rj4el6vkp4c.cloudfront.net",
+                                # "dbeaver.io",
+                                # "packages.gitlab.com",
                                 "packages.microsoft.com",
+                                # "qgis.org",
                                 "security.ubuntu.com",
+                                # "ubuntu.qgis.org"
                             ],
                         ),
                     ],
