i need to list all of the publicly accessible GCP resources in my organisation for security enhancement, is it possible to do it with gcloud console ? mainly i need to list publicly resources for
Storage
SQL
GKE
Firewall rules
if possible, thanks
Use Google Cloud Security Command Center. It detects and lists Cloud Storage buckets with public access, VMs and Cloud SQL instances with public IP and open firewall rules.
Related
Right now we have multiple resources like storage accounts and key vaults where the team is using the firewall setting within the networking tab on the individual services. This means when their ip changes after a disconnect/connect to the company VPN they have to go in to each service and add their new IP address.
Not being well versed in Azure networking possibilities, what are some of the options we have to allow a group of incoming IP addresses to be able to access all these services without having to individually touch each service to add their new ip address?
All services are also on the same virtual network.
Thank You
I used to work on Azure Cloud services as a DevOps in the past.
There should be multiple ways to control incoming network traffic to your landing zone or azure resources. But you should consider your requirements meet the solution.
Here are few you could take a look at which I used:
Virtual network service endpoints
Azure Firewall
Network Security Groups
ExpressRoute
Until now I assumed that the traffic flowing between 2 azure resources (say between an Azure VM & Storage Account or a Key Vault) was through the internet, if private and service endpoints are not configured. But today a colleague of mine shared an article where it says that all the traffic between the Azure datacenters does not go through the internet, it's on Microsoft's backbone network only. Link to the article - https://azure.microsoft.com/en-in/blog/how-microsoft-builds-its-fast-and-reliable-global-network/
Now there could be 2 things:
Either the article is now outdated (it is from 2017) and no longer true, and w/o any special configuration the traffic between 2 azure resources flows through the internet, or,
The traffic indeed flows through the Microsoft's network and not through the internet, but in that case, what's the benefit of Private endpoint apart from the fact that we can assign a private IP to a PaaS service.
Any insights in this regards would be highly appriciated. Thanks in Advance!
Yes all the traffic which is between Azure services travels over Microsoft backbone network.
This is documented here
Yes, any traffic between data centers, within Microsoft Azure or between Microsoft services such as Virtual Machines, Microsoft 365, XBox, SQL DBs, Storage, and virtual networks are routed within our global network and never over the public Internet, to ensure optimal performance and integrity.
Service endpoints provide an extra layer of isolation and security , as per Microsoft Docs :
Network connections can only be initiated by clients connecting to the private endpoint. Service providers don't have routing configuration to create connections into service consumers. Connections can only be established in a single direction.
To understand the private endpoints in better way I would recommend to read more about Private Link Service as well.
The difference is that services with Private Endpoint are not reachable from anywhere else but your VNet.
If you have an VM -> Storage without private endpoint, the traffic will go over the MS network, but your storage endpoint is public (I can reach it from my laptop :) )
If you place your storage in a VNet with private endpoints, then I need to be able to access the VNet in order I can reach the storage endpoint
I want to host a website with only html,css,js files in the Azure cloud.
Seems like Azure Blob Static Website is a great option to host it for free if you have an Azure subscription.
Reference: https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-static-website
My question here is:
Is there any way to restrict the public IP addresses which can access the endpoint of the Azure Blob hosted Website?
Many of the Azure services provide this feature of IP filtering, but I did not find any way to do it for the above scenario.
Please guide me.
In the storage account, go to Settings → Firewalls and Virtual Networks
Check the radio Selected Networks and then configure the Firewall to allow selected IP address ranges.
I heard about the new update on Azure SQLDB that it can be connected to vnet but can't find any blogs on this new information.
Can someone throw some light on this information?
Now, it is supported. Please refer to this blog.
Azure SQL Database will allow you to set firewall rules for specific
public IPs, and will give you the option of allowing all Azure
Services’ IPs to connect to your Servers. If you're looking for finer
grained connectivity limitations, you would have to provision a Static
Public IP, which can be hard to manage and costly when done at scale.
Virtual Network service endpoints will allow you to limit connectivity
to your Azure SQL Database Servers from given subnets within a Virtual
Network.
You could do it on Azure Portal. Please refer to this link.
I have created a Virtual Network, when deploying a VM in it, it's unavailable from Internet, and available when I connect via VPN. (And that's what it's supposed to do).
But when I deploy a Cloud Service (and the Cloud Service is correctly deployed in the Virtual Network as I can see it in the VN resources list), it's still available from Internet.
How can I secure the access of a Cloud Service ? I don't want it to be accessible by every one, just by VPN and from dedicated IPs.
Finally I found that by default Cloud Services have EndPoints configured. By adding ACLs to it (http://blogs.msdn.com/b/walterm/archive/2014/04/22/windows-azure-paas-acls-are-here.aspx) I can isolate them into the Virtual Network.
If you do not want the cloud service to be accessible from the Internet, the better way to protect is to remove the endpoints. If you want to ACL the instances at the Virtual Network/Subnet level consider using this article