aaw icon indicating copy to clipboard operation
aaw copied to clipboard
verified publisher icon StatCan

Task: Add Microsoft.Storage service endpoint for dev vnet

Open chuckbelisle opened this issue 3 years ago • 11 comments

FinOps team is working with KubeCost admin team to send AAW kubecost information from this subnet "aaw-dev-cc-00-snet-aks-cloud-main-system" to storage account "stnfindev01sa" that only allow certain vnets to access. In order to achieve that, we will need the Microsoft.Storage service endpoint to be added to the service endpoint collection of the source subnet "aaw-dev-cc-00-snet-aks-cloud-main-system".

source vnet: aaw-dev-cc-00-vnet-aks source subnet: aaw-dev-cc-00-snet-aks-cloud-main-system Thanks!

This was originally created in Jira for the CLOUD team, but Zach commented

seguzacSeguin, Zachary - CWMD/DIMCT added a comment - 2 days ago Only because I came across this.. this should be done by the AAW team in the terraform project. It's already done for the other subnets in that VNET.

Since Collin is away on vacation for a little, I will see if I can have @vexingly or @cboin1996 make the required modification

chuckbelisle avatar Jun 27 '22 13:06 chuckbelisle

Required to complete https://github.com/StatCan/daaas/issues/894

vexingly avatar Jun 27 '22 17:06 vexingly

So there is an existing network rule collection aks-system-to-cae-storage-accounts that is used for the other cae storeage accounts (i.e. vdlprojectsprojets). It is my understanding to do this the storage account was configured with a private endpoint which we allowed access to via the network rule.

The storage account stnfindev01sa does not have a private endpoint, from the jira it is suggested instead to add a rule for the Microsoft.Storage service endpoint instead, which all the storage accounts use by default?

If this is correct then we just someone to provide the network values for the Microsoft.Storage service endpoint to add to our configuration...

vexingly avatar Jun 27 '22 18:06 vexingly

@zachomedia we're looking the network values for the following: Microsoft.Storage service endpoint

Thank you!

chuckbelisle avatar Jun 27 '22 19:06 chuckbelisle

The value is already there, you just need to include it. It's there for the other subnets:

For example, on the system subnet:

resource "azurerm_subnet" "aks_system" {
  name                 = "${var.prefix}-snet-aks-system"
  ...
  service_endpoints = local.service_endpoints
}

The service_endpoints value is not set on the aks_cloud_main_system subnet.

zachomedia avatar Jun 27 '22 19:06 zachomedia

Thanks @zachomedia I was not looking in the right place to find that! Do we have a network diagram somewhere to reference that shows all of these subnets and their connections?

vexingly avatar Jun 27 '22 21:06 vexingly

@vexingly This is currently the only diagram available: https://github.com/StatCan/aaw-security-proposal/blob/master/02-azure.md

zachomedia avatar Jun 27 '22 21:06 zachomedia

@vexingly We finally decided to go with the private endpoint which seems to work fine. Therefore I don't think the service endpoint is required anymore. Is it possible to remove it from "aaw-dev-cc-00-snet-aks-cloud-main-system" subnet ?

Thanks!

menmarc avatar Jul 12 '22 13:07 menmarc

@menmarc PR to remove service endpoint is here https://gitlab.k8s.cloud.statcan.ca/cloudnative/aaw/modules/terraform-azure-statcan-aaw-network/-/merge_requests/15 - I will ask someone to merge it on the AAW side and update this issue once the change is merged.

Edit: I reverted the change here: https://gitlab.k8s.cloud.statcan.ca/cloudnative/aaw/modules/terraform-azure-statcan-aaw-network/-/tags/v0.3.10 - I'm going to close this issue as it appears no further action is required. Please re-open if anything is missing.

Collinbrown95 avatar Jul 12 '22 13:07 Collinbrown95

following discussion with @zachomedia , we're not allowed to use endpoints so we'll have to use a service endpoint. @Collinbrown95 can you apply back the changes ? Thank you

menmarc avatar Jul 12 '22 19:07 menmarc

It's not exactly accurate to say that we can't use private endpoints.. Per the security proposal, https://github.com/StatCan/aaw-security-proposal/blob/master/02-azure.md#networking:

  • The subnets within the AKS VNET are for compute resources only
  • The data vnet is where private endpoints would go, however, per the note: "Note: The Data VNET / subnets are generally not needed as we can use Service Endpoints for managed databases and storage accounts." -> This aligns with the internal CTRC decision

If you need to use private endpoints, then it needs to go into a subnet in the data vnet and the data vnet will need to finish being configured. However, in this case, I don't think there is a need for private endpoints.

zachomedia avatar Jul 12 '22 19:07 zachomedia

@zachomedia thanks for the clarification. We'll require your assistance with the service endpoint as we don't know where the issue is. I'll add you to our Teams thread regarding this matter

menmarc avatar Jul 12 '22 19:07 menmarc