Skip to content

docs: Move Cloud Firewall config into Cloud Folder #556

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 5 commits into
base: master
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion platform-cloud/cloud-sidebar.json
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,8 @@
"label": "Advanced options",
"items":[
"enterprise/advanced-topics/manual-aws-batch-setup",
"enterprise/advanced-topics/manual-azure-batch-setup"
"enterprise/advanced-topics/manual-azure-batch-setup",
"enterprise/advanced-topics/firewall-configuration"
]
}
]
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
---
title: "Firewall configuration"
description: Configure your firewall to allow Seqera Cloud access
date: "12 Apr 2023"
tags: [firewall, configuration]
---

Seqera Platform Cloud ([cloud.seqera.io](https://cloud.seqera.io)) may need to connect to resources within your network, e.g., your storage server. To do so, your firewall must be configured to allow certain IPs to reach your resources.

A dynamic list of IPs is kept up-to-date at https://meta.seqera.io.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
A dynamic list of IPs is kept up-to-date at https://meta.seqera.io.
A dynamic list of IPs is kept up-to-date at https://meta.seqera.io/v3.

let's make customers subscribe to a specific version
if in the future we'll rework the meta endpoint to use a new formatting we'll create a new version (this won't be the case for a simple IP update)


This endpoint returns a JSON object that can be parsed to dynamically adapt your firewall, e.g., in Python with the `requests` package:

```python
$ python3
>>> import requests
>>> requests.get("https://meta.seqera.io").json()
{
"egress": [
"18.169.21.18/32",
"18.135.7.45/32",
"18.171.4.252/32"
],
"ingress": [
"35.179.197.5/32",
"3.11.38.17/32",
"18.175.79.222/32"
]
}
Comment on lines +15 to +29
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shall we drop the actual IPs and just show the python code? this avoids spreading IPs that would then need to be updated
people should get the most up-to-date IPs from the meta endpoint

Suggested change
$ python3
>>> import requests
>>> requests.get("https://meta.seqera.io").json()
{
"egress": [
"18.169.21.18/32",
"18.135.7.45/32",
"18.171.4.252/32"
],
"ingress": [
"35.179.197.5/32",
"3.11.38.17/32",
"18.175.79.222/32"
]
}
$ python3
>>> import requests
>>> requests.get("https://meta.seqera.io").json()

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd also change the endpoint customers should hit to https://meta.seqera.io/v3, so they'll subscribe to a specific version of our list of IPs (we don't list specific services anymore and we now also provide ingress IPs, since we set up a Network Load Balancer in front of our Application Load Balancer)

```

### DNS allowlist

In order for you to access resources such as Fusion tarballs, `nf-xpack` files, Wave cloud containers and other services provided by Seqera, you'll need to add `*.seqera.io.cdn.cloudflare.net` to the allowlist in your network firewall. If DNS wildcards aren't supported by your firewall, you can use the following:

- `cloud.seqera.io`
- `api.cloud.seqera.io`
- `user-data.cloud.seqera.io`
- `tower.nf`
- `api.tower.nf`
- `connect.cloud.seqera.io` and its subdomains `*.connect.cloud.seqera.io`
- `hub.seqera.io`
- `intern.seqera.io`
- `wave.seqera.io`
- `community.wave.seqera.io`
- `cerbero.seqera.io`
- `public.cr.seqera.io`
- `auth.cr.seqera.io`
- `cr.seqera.io`
- `licenses.seqera.io`
- `api.multiqc.info`
- `fusionfs.seqera.io`
- `nf-xpack.seqera.io`
- `community-cr-prod.seqera.io`
- `fusionfs.seqera.io`
- `nf-xpack.seqera.io`
- `public-cr-prod.seqera.io`
- `wave-cache-prod-cloudflare.seqera.io`
- `fusionfs.seqera.io.cdn.cloudflare.net`
- `nf-xpack.seqera.io.cdn.cloudflare.net`
- `community-cr-prod.seqera.io.cdn.cloudflare.net`
- `fusionfs.seqera.io.cdn.cloudflare.net`
- `nf-xpack.seqera.io.cdn.cloudflare.net`
- `public-cr-prod.seqera.io.cdn.cloudflare.net`
- `wave-cache-prod-cloudflare.seqera.io.cdn.cloudflare.net`

If you choose to filter by specific DNS records, please note that new services may be added in the future.

:::note
If your allowlist is based on IP addresses, allow all of the following IP addresses: https://www.cloudflare.com/ips/.
:::
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,37 @@ date: "21 Apr 2023"
tags: [networking, configuration]
---

To self-host your installation of Seqera Platform Enterprise, a number of inbound and outbound connections must be allowed within and external to your environment. This page details the ingress and egress networking considerations required for your Seqera Enterprise deployment.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
To self-host your installation of Seqera Platform Enterprise, a number of inbound and outbound connections must be allowed within and external to your environment. This page details the ingress and egress networking considerations required for your Seqera Enterprise deployment.
To self-host your installation of Seqera Platform Enterprise, a number of inbound and outbound connections must be allowed on your firewall. This page details the ingress and egress networking considerations required for your Seqera Enterprise deployment.


## Firewall configuration

Your Seqera Enterprise must be allowed to communicate with licences.seqera.io on port 443. The IP addresses for this service are:
- 35.179.197.5/32
- 18.175.79.222/32
- 3.11.38.17/32
Comment on lines +12 to +15
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here we should just reference meta.seqera.io and specify that administrators should allowlist the ingress IPs


### Fusion and other Enterprise plugins

[Fusion file system](../../supported_software/fusion/overview.md) and other Seqera Enterprise plugins have built-in licence checking built-in. As such, you must also allow network traffic from the your Seqera compute environment executing Nextflow jobs.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
[Fusion file system](../../supported_software/fusion/overview.md) and other Seqera Enterprise plugins have built-in licence checking built-in. As such, you must also allow network traffic from the your Seqera compute environment executing Nextflow jobs.
[Fusion file system](../../supported_software/fusion/overview.md) and other Seqera Enterprise plugins have built-in license checking. As such, you must also allow network traffic from your Seqera compute environment executing Nextflow jobs.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which service is validating fusion licenses? Is it license manager? We should specify that customers should allowlist our ingress IPs then


### Studios

See [Studios deployment](../studios.md) for details on the Seqera-hosted URLs, and internal subdomains of your Platform instance host domain, that must be allowed for ingress and egress traffic.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
See [Studios deployment](../studios.md) for details on the Seqera-hosted URLs, and internal subdomains of your Platform instance host domain, that must be allowed for ingress and egress traffic.
See [Studios deployment](../studios.md) for details on the Seqera-hosted URLs and internal subdomains of your Platform instance host domain, which must be allowed for ingress and egress traffic.


### Wave

To use Seqera Cloud-hosted [Wave](https://docs.seqera.io/wave) with the Mirror or Freeze functionality, which requires Wave to store built containers within your container registry, you must to ensure that the wave-build VPC is allowed to push to your container registry. For most cloud providers, this requires additional configuration to lock down, but is generally allowed by default.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
To use Seqera Cloud-hosted [Wave](https://docs.seqera.io/wave) with the Mirror or Freeze functionality, which requires Wave to store built containers within your container registry, you must to ensure that the wave-build VPC is allowed to push to your container registry. For most cloud providers, this requires additional configuration to lock down, but is generally allowed by default.
To use Seqera Cloud-hosted [Wave](https://docs.seqera.io/wave) with the Mirror or Freeze functionality, which requires Wave to store built containers within your container registry, you must ensure that the wave-build VPC is allowed to push to your container registry. For most cloud providers, this is generally permitted by default; you may contact your network administrators to verify whether additional firewall rules have been defined.


Ensure your Enterprise instance can communicate with the following Seqera-hosted Wave service IP addresses on port 443:

- 18.135.7.45/32
- 18.169.21.18/32
- 18.171.4.252/32
Comment on lines +29 to +33
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here we should just reference meta.seqera.io and specify that administrators should allowlist the egress IPs


### Restricting outbound traffic

To restrict outbound traffic from your Enterprise installation, you must allow access to Seqera assets hosted on Cloudflare, Nextflow assets hosted on Github artifacts, and any code hosting solutions or third party dependancies you require, such as Github, Gitlab, or Artifactory.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
To restrict outbound traffic from your Enterprise installation, you must allow access to Seqera assets hosted on Cloudflare, Nextflow assets hosted on Github artifacts, and any code hosting solutions or third party dependancies you require, such as Github, Gitlab, or Artifactory.
To restrict outbound traffic from your Enterprise installation, you must allow access to Seqera assets hosted on Cloudflare, Nextflow assets hosted on GitHub artifacts, and any code hosting solutions or third-party dependencies you require, such as GitHub, GitLab, or Artifactory.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not clear to me which assets we're referring to, and we're not specifying IPs/DNS entries to allowlist

Also, the wording isn't really clear in general


## HTTP proxy environment variables

:::caution
Expand Down
Loading