All all ports in/out inside compute subnet (#1876)

Azure · Mar 5, 2024 · 6419674 · 6419674
1 parent e07d67b
commit 6419674
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 8 deletions.
diff --git a/bicep/azhop.bicep b/bicep/azhop.bicep
@@ -495,15 +495,17 @@ var config = {
       AllowSshFromJumpboxIn       : ['320', 'Inbound', 'Allow', 'Tcp', 'Ssh', 'asg', 'asg-jumpbox', 'asg', 'asg-ssh']
       AllowSshFromComputeIn       : ['330', 'Inbound', 'Allow', 'Tcp', 'Ssh', 'subnet', 'compute', 'asg', 'asg-ssh']
       AllowSshToComputeIn         : ['360', 'Inbound', 'Allow', 'Tcp', 'Ssh', 'asg', 'asg-ssh', 'subnet', 'compute']
-      AllowSshComputeComputeIn    : ['365', 'Inbound', 'Allow', 'Tcp', 'Ssh', 'subnet', 'compute', 'subnet', 'compute']
+
+      // All communications inside compute subnet
+      AllowAllComputeComputeIn    : ['365', 'Inbound', 'Allow', 'Tcp', 'All', 'subnet', 'compute', 'subnet', 'compute']
 
       // Scheduler
       AllowSchedIn                : ['369', 'Inbound', 'Allow', '*', 'Shed', 'asg', 'asg-sched', 'asg', 'asg-sched']
 //      AllowPbsClientIn            : ['370', 'Inbound', 'Allow', '*', 'Pbs', 'asg', 'asg-pbs-client', 'asg', 'asg-pbs']
       AllowSchedComputeIn         : ['380', 'Inbound', 'Allow', '*', 'Shed', 'asg', 'asg-sched', 'subnet', 'compute']
 //      AllowComputePbsClientIn     : ['390', 'Inbound', 'Allow', '*', 'Pbs', 'subnet', 'compute', 'asg', 'asg-pbs-client']
       AllowComputeSchedIn         : ['400', 'Inbound', 'Allow', '*', 'Shed', 'subnet', 'compute', 'asg', 'asg-sched']
-      AllowComputeComputeSchedIn  : ['401', 'Inbound', 'Allow', '*', 'Shed', 'subnet', 'compute', 'subnet', 'compute']
+//      AllowComputeComputeSchedIn  : ['401', 'Inbound', 'Allow', '*', 'Shed', 'subnet', 'compute', 'subnet', 'compute']
 
       // CycleCloud
       AllowCycleClientIn          : ['450', 'Inbound', 'Allow', 'Tcp', 'CycleCloud', 'asg', 'asg-cyclecloud-client', 'asg', 'asg-cyclecloud']
@@ -528,13 +530,15 @@ var config = {
       AllowSchedComputeOut        : ['360', 'Outbound', 'Allow', '*', 'Shed', 'asg', 'asg-sched', 'subnet', 'compute']
       AllowComputeSchedOut        : ['370', 'Outbound', 'Allow', '*', 'Shed', 'subnet', 'compute', 'asg', 'asg-sched']
       //AllowComputePbsClientOut    : ['380', 'Outbound', 'Allow', '*', 'Pbs', 'subnet', 'compute', 'asg', 'asg-pbs-client']
-      AllowComputeComputeSchedOut : ['381', 'Outbound', 'Allow', '*', 'Shed', 'subnet', 'compute', 'subnet', 'compute']
+//      AllowComputeComputeSchedOut : ['381', 'Outbound', 'Allow', '*', 'Shed', 'subnet', 'compute', 'subnet', 'compute']
 
       // SSH internal rules
       AllowSshFromJumpboxOut      : ['490', 'Outbound', 'Allow', 'Tcp', 'Ssh', 'asg', 'asg-jumpbox', 'asg', 'asg-ssh']
       AllowSshComputeOut          : ['500', 'Outbound', 'Allow', 'Tcp', 'Ssh', 'asg', 'asg-ssh', 'subnet', 'compute']
       AllowSshFromComputeOut      : ['530', 'Outbound', 'Allow', 'Tcp', 'Ssh', 'subnet', 'compute', 'asg', 'asg-ssh']
-      AllowSshComputeComputeOut   : ['540', 'Outbound', 'Allow', 'Tcp', 'Ssh', 'subnet', 'compute', 'subnet', 'compute']
+
+      // All communications inside compute subnet
+      AllowAllComputeComputeOut   : ['540', 'Outbound', 'Allow', 'Tcp', 'All', 'subnet', 'compute', 'subnet', 'compute']
 
       // Admin and Deployment
       AllowDnsOut                 : ['590', 'Outbound', 'Allow', '*', 'Dns', 'tag', 'VirtualNetwork', 'tag', 'VirtualNetwork']

diff --git a/tf/variables_local.tf b/tf/variables_local.tf
@@ -430,15 +430,15 @@ locals {
         AllowSshFromDeployerIn      = ["340", "Inbound", "Allow", "Tcp", "Ssh",                "asg/asg-deployer",  "asg/asg-ssh"], # Only in a deployer VM scenario
         AllowDeployerToPackerSshIn  = ["350", "Inbound", "Allow", "Tcp", "Ssh",                "asg/asg-deployer",  "subnet/admin"], # Only in a deployer VM scenario
         AllowSshToComputeIn         = ["360", "Inbound", "Allow", "Tcp", "Ssh",                "asg/asg-ssh",       "subnet/compute"],
-        AllowSshComputeComputeIn    = ["365", "Inbound", "Allow", "Tcp", "Ssh",                "subnet/compute",    "subnet/compute"],
+        AllowAllComputeComputeIn    = ["365", "Inbound", "Allow", "Tcp", "All",                "subnet/compute",    "subnet/compute"],
 
         # Scheduler
         AllowSchedIn                = ["369", "Inbound", "Allow", "*",   "Sched",                "asg/asg-sched",      "asg/asg-sched"],
         #AllowPbsClientIn            = ["370", "Inbound", "Allow", "*",   "Sched",                "asg/asg-pbs-client", "asg/asg-pbs"],
         AllowSchedComputeIn         = ["380", "Inbound", "Allow", "*",   "Sched",                "asg/asg-sched",      "subnet/compute"],
         #AllowComputePbsClientIn     = ["390", "Inbound", "Allow", "*",   "Sched",                "subnet/compute",     "asg/asg-pbs-client"],
         AllowComputeSchedIn         = ["400", "Inbound", "Allow", "*",   "Sched",                "subnet/compute",     "asg/asg-sched"],
-        AllowComputeComputeSchedIn  = ["401", "Inbound", "Allow", "*",   "Sched",                "subnet/compute",     "subnet/compute"],
+        #AllowComputeComputeSchedIn  = ["401", "Inbound", "Allow", "*",   "Sched",                "subnet/compute",     "subnet/compute"],
 
         # CycleCloud
         AllowCycleClientIn          = ["450", "Inbound", "Allow", "Tcp", "CycleCloud",         "asg/asg-cyclecloud-client", "asg/asg-cyclecloud"],
@@ -469,15 +469,15 @@ locals {
         AllowSchedComputeOut        = ["360", "Outbound", "Allow", "*",   "Sched",                "asg/asg-sched",      "subnet/compute"],
         AllowComputeSchedOut        = ["370", "Outbound", "Allow", "*",   "Sched",                "subnet/compute",     "asg/asg-sched"],
         #AllowComputePbsClientOut    = ["380", "Outbound", "Allow", "*",   "Sched",                "subnet/compute",     "asg/asg-pbs-client"],
-        AllowComputeComputeSchedOut = ["381", "Outbound", "Allow", "*",   "Sched",                "subnet/compute",     "subnet/compute"],
+        #AllowComputeComputeSchedOut = ["381", "Outbound", "Allow", "*",   "Sched",                "subnet/compute",     "subnet/compute"],
 
         # SSH internal rules
         AllowSshFromJumpboxOut      = ["490", "Outbound", "Allow", "Tcp", "Ssh",                "asg/asg-jumpbox",          "asg/asg-ssh"],
         AllowSshComputeOut          = ["500", "Outbound", "Allow", "Tcp", "Ssh",                "asg/asg-ssh",              "subnet/compute"],
         AllowSshDeployerOut         = ["510", "Outbound", "Allow", "Tcp", "Ssh",                "asg/asg-deployer",         "asg/asg-ssh"],
         AllowSshDeployerPackerOut   = ["520", "Outbound", "Allow", "Tcp", "Ssh",                "asg/asg-deployer",         "subnet/admin"],
         AllowSshFromComputeOut      = ["530", "Outbound", "Allow", "Tcp", "Ssh",                "subnet/compute",           "asg/asg-ssh"],
-        AllowSshComputeComputeOut   = ["540", "Outbound", "Allow", "Tcp", "Ssh",                "subnet/compute",           "subnet/compute"],
+        AllowAllComputeComputeOut   = ["540", "Outbound", "Allow", "Tcp", "All",                "subnet/compute",           "subnet/compute"],
 
         # Admin and Deployment
         AllowDnsOut                 = ["590", "Outbound", "Allow", "*",   "Dns",                "tag/VirtualNetwork",       "tag/VirtualNetwork"],