docs: Move Cloud Firewall config into Cloud Folder #556
Conversation
✅ Deploy Preview for seqera-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
…egorize egress and ingress IPs
|
We need to update the IP addresses listed in the documentation. I'm also wondering if it makes sense to include them there at all. Additionally, we should add a list of the services that sit behind those IPs for better clarity. At the moment, the documentation focuses only on the Enterprise offering, but there are scenarios where Cloud customers also need access to this information, so we may want to expand the scope accordingly. On a related note, we've recently updated meta.seqera.io to display both ingress and egress IPs, which should make it easier to surface and maintain this information. I updated this PR to show the correct IPs, which should look like below. |
There was a problem hiding this comment.
Seqera Cloud requires no inbound connectivity to their environment.
I'm not sure that's correct; take the case of customers who are using the wave service with mirror and/or freeze functionalities, they'd need to allowlist our egress IPs in order for wave to store images in their Container Registry of choice, or for Fusion to call home, etc
|
|
||
| ### Fusion and other Enterprise plugins | ||
|
|
||
| [Fusion file system](../../supported_software/fusion/overview.md) and other Seqera Enterprise plugins have built-in licence checking built-in. As such, you must also allow network traffic from the your Seqera compute environment executing Nextflow jobs. |
There was a problem hiding this comment.
| [Fusion file system](../../supported_software/fusion/overview.md) and other Seqera Enterprise plugins have built-in licence checking built-in. As such, you must also allow network traffic from the your Seqera compute environment executing Nextflow jobs. | |
| [Fusion file system](../../supported_software/fusion/overview.md) and other Seqera Enterprise plugins have built-in license checking. As such, you must also allow network traffic from your Seqera compute environment executing Nextflow jobs. |
There was a problem hiding this comment.
Which service is validating fusion licenses? Is it license manager? We should specify that customers should allowlist our ingress IPs then
|
|
||
| ### Studios | ||
|
|
||
| See [Studios deployment](../studios.md) for details on the Seqera-hosted URLs, and internal subdomains of your Platform instance host domain, that must be allowed for ingress and egress traffic. |
There was a problem hiding this comment.
| See [Studios deployment](../studios.md) for details on the Seqera-hosted URLs, and internal subdomains of your Platform instance host domain, that must be allowed for ingress and egress traffic. | |
| See [Studios deployment](../studios.md) for details on the Seqera-hosted URLs and internal subdomains of your Platform instance host domain, which must be allowed for ingress and egress traffic. |
|
|
||
| ### Wave | ||
|
|
||
| To use Seqera Cloud-hosted [Wave](https://docs.seqera.io/wave) with the Mirror or Freeze functionality, which requires Wave to store built containers within your container registry, you must to ensure that the wave-build VPC is allowed to push to your container registry. For most cloud providers, this requires additional configuration to lock down, but is generally allowed by default. |
There was a problem hiding this comment.
| To use Seqera Cloud-hosted [Wave](https://docs.seqera.io/wave) with the Mirror or Freeze functionality, which requires Wave to store built containers within your container registry, you must to ensure that the wave-build VPC is allowed to push to your container registry. For most cloud providers, this requires additional configuration to lock down, but is generally allowed by default. | |
| To use Seqera Cloud-hosted [Wave](https://docs.seqera.io/wave) with the Mirror or Freeze functionality, which requires Wave to store built containers within your container registry, you must ensure that the wave-build VPC is allowed to push to your container registry. For most cloud providers, this is generally permitted by default; you may contact your network administrators to verify whether additional firewall rules have been defined. |
| Your Seqera Enterprise must be allowed to communicate with licences.seqera.io on port 443. The IP addresses for this service are: | ||
| - 35.179.197.5/32 | ||
| - 18.175.79.222/32 | ||
| - 3.11.38.17/32 |
There was a problem hiding this comment.
here we should just reference meta.seqera.io and specify that administrators should allowlist the ingress IPs
| Ensure your Enterprise instance can communicate with the following Seqera-hosted Wave service IP addresses on port 443: | ||
|
|
||
| - 18.135.7.45/32 | ||
| - 18.169.21.18/32 | ||
| - 18.171.4.252/32 |
There was a problem hiding this comment.
here we should just reference meta.seqera.io and specify that administrators should allowlist the egress IPs
|
|
||
| ### Restricting outbound traffic | ||
|
|
||
| To restrict outbound traffic from your Enterprise installation, you must allow access to Seqera assets hosted on Cloudflare, Nextflow assets hosted on Github artifacts, and any code hosting solutions or third party dependancies you require, such as Github, Gitlab, or Artifactory. |
There was a problem hiding this comment.
| To restrict outbound traffic from your Enterprise installation, you must allow access to Seqera assets hosted on Cloudflare, Nextflow assets hosted on Github artifacts, and any code hosting solutions or third party dependancies you require, such as Github, Gitlab, or Artifactory. | |
| To restrict outbound traffic from your Enterprise installation, you must allow access to Seqera assets hosted on Cloudflare, Nextflow assets hosted on GitHub artifacts, and any code hosting solutions or third-party dependencies you require, such as GitHub, GitLab, or Artifactory. |
There was a problem hiding this comment.
It's not clear to me which assets we're referring to, and we're not specifying IPs/DNS entries to allowlist
Also, the wording isn't really clear in general
| $ python3 | ||
| >>> import requests | ||
| >>> requests.get("https://meta.seqera.io").json() | ||
| { | ||
| "egress": [ | ||
| "18.169.21.18/32", | ||
| "18.135.7.45/32", | ||
| "18.171.4.252/32" | ||
| ], | ||
| "ingress": [ | ||
| "35.179.197.5/32", | ||
| "3.11.38.17/32", | ||
| "18.175.79.222/32" | ||
| ] | ||
| } |
There was a problem hiding this comment.
shall we drop the actual IPs and just show the python code? this avoids spreading IPs that would then need to be updated
people should get the most up-to-date IPs from the meta endpoint
| $ python3 | |
| >>> import requests | |
| >>> requests.get("https://meta.seqera.io").json() | |
| { | |
| "egress": [ | |
| "18.169.21.18/32", | |
| "18.135.7.45/32", | |
| "18.171.4.252/32" | |
| ], | |
| "ingress": [ | |
| "35.179.197.5/32", | |
| "3.11.38.17/32", | |
| "18.175.79.222/32" | |
| ] | |
| } | |
| $ python3 | |
| >>> import requests | |
| >>> requests.get("https://meta.seqera.io").json() |
There was a problem hiding this comment.
I'd also change the endpoint customers should hit to https://meta.seqera.io/v3, so they'll subscribe to a specific version of our list of IPs (we don't list specific services anymore and we now also provide ingress IPs, since we set up a Network Load Balancer in front of our Application Load Balancer)
| @@ -5,6 +5,37 @@ date: "21 Apr 2023" | |||
| tags: [networking, configuration] | |||
| --- | |||
|
|
|||
| To self-host your installation of Seqera Platform Enterprise, a number of inbound and outbound connections must be allowed within and external to your environment. This page details the ingress and egress networking considerations required for your Seqera Enterprise deployment. | |||
There was a problem hiding this comment.
| To self-host your installation of Seqera Platform Enterprise, a number of inbound and outbound connections must be allowed within and external to your environment. This page details the ingress and egress networking considerations required for your Seqera Enterprise deployment. | |
| To self-host your installation of Seqera Platform Enterprise, a number of inbound and outbound connections must be allowed on your firewall. This page details the ingress and egress networking considerations required for your Seqera Enterprise deployment. |
|
|
||
| Seqera Platform Cloud ([cloud.seqera.io](https://cloud.seqera.io)) may need to connect to resources within your network, e.g., your storage server. To do so, your firewall must be configured to allow certain IPs to reach your resources. | ||
|
|
||
| A dynamic list of IPs is kept up-to-date at https://meta.seqera.io. |
There was a problem hiding this comment.
| A dynamic list of IPs is kept up-to-date at https://meta.seqera.io. | |
| A dynamic list of IPs is kept up-to-date at https://meta.seqera.io/v3. |
let's make customers subscribe to a specific version
if in the future we'll rework the meta endpoint to use a new formatting we'll create a new version (this won't be the case for a simple IP update)
Currently the network configuration requirements for Cloud are within the Enterprise section as such these have been moved to the Cloud under
enterprise/advanced-topics/firewall-configuration.mdThe original content can be viewed at https://docs.seqera.io/platform-enterprise/25.1/enterprise/advanced-topics/firewall-configuration
Further to that for Enterprise customers self-hosting their own installation
licences.seqera.ioon port 443 the ip addresses for this areEnterprise Plugins & Fusion
Seqera Enterprise plugins & fusion have licence checking built-in as such it's not sufficient to only allow outbound traffic to port 443 from the Seqera Enterprise installation , they will also have to allow network traffic from the Compute Environment executing the Nextflow jobs.
Wave
If the customer is using Seqera Cloud hosted Wave and they're using the Mirror or Freeze functionality which requires Wave to store built containers within their container registry then they will have to ensure that the wave-build VPC is allowed to push to their container registry, for most cloud providers this requires additional configuration to lock down as such it's not normally a problem.
These would be the following IP addresses on port 443
If the customer would like to restrict outbound traffic from their installation they would be responsible for ensuring they allow access to Seqera Assets hosted on Cloudflare along with Nextflow assets hosted on Github artifacts along with any code hosting solutions or third party dependancies they're using such as Github / Gitlab / Artifactory.
TODO