-
Notifications
You must be signed in to change notification settings - Fork 4
docs: Move Cloud Firewall config into Cloud Folder #556
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
608383e
99b2d5f
dd85a4a
198ea77
815606e
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
@@ -0,0 +1,71 @@ | ||||||||||||||||||||||||||||||||||||||
--- | ||||||||||||||||||||||||||||||||||||||
title: "Firewall configuration" | ||||||||||||||||||||||||||||||||||||||
description: Configure your firewall to allow Seqera Cloud access | ||||||||||||||||||||||||||||||||||||||
date: "12 Apr 2023" | ||||||||||||||||||||||||||||||||||||||
tags: [firewall, configuration] | ||||||||||||||||||||||||||||||||||||||
--- | ||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||
Seqera Platform Cloud ([cloud.seqera.io](https://cloud.seqera.io)) may need to connect to resources within your network, e.g., your storage server. To do so, your firewall must be configured to allow certain IPs to reach your resources. | ||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||
A dynamic list of IPs is kept up-to-date at https://meta.seqera.io. | ||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||
This endpoint returns a JSON object that can be parsed to dynamically adapt your firewall, e.g., in Python with the `requests` package: | ||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||
```python | ||||||||||||||||||||||||||||||||||||||
$ python3 | ||||||||||||||||||||||||||||||||||||||
>>> import requests | ||||||||||||||||||||||||||||||||||||||
>>> requests.get("https://meta.seqera.io").json() | ||||||||||||||||||||||||||||||||||||||
{ | ||||||||||||||||||||||||||||||||||||||
"egress": [ | ||||||||||||||||||||||||||||||||||||||
"18.169.21.18/32", | ||||||||||||||||||||||||||||||||||||||
"18.135.7.45/32", | ||||||||||||||||||||||||||||||||||||||
"18.171.4.252/32" | ||||||||||||||||||||||||||||||||||||||
], | ||||||||||||||||||||||||||||||||||||||
"ingress": [ | ||||||||||||||||||||||||||||||||||||||
"35.179.197.5/32", | ||||||||||||||||||||||||||||||||||||||
"3.11.38.17/32", | ||||||||||||||||||||||||||||||||||||||
"18.175.79.222/32" | ||||||||||||||||||||||||||||||||||||||
] | ||||||||||||||||||||||||||||||||||||||
} | ||||||||||||||||||||||||||||||||||||||
Comment on lines
+15
to
+29
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. shall we drop the actual IPs and just show the python code? this avoids spreading IPs that would then need to be updated
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'd also change the endpoint customers should hit to |
||||||||||||||||||||||||||||||||||||||
``` | ||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||
### DNS allowlist | ||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||
In order for you to access resources such as Fusion tarballs, `nf-xpack` files, Wave cloud containers and other services provided by Seqera, you'll need to add `*.seqera.io.cdn.cloudflare.net` to the allowlist in your network firewall. If DNS wildcards aren't supported by your firewall, you can use the following: | ||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||
- `cloud.seqera.io` | ||||||||||||||||||||||||||||||||||||||
- `api.cloud.seqera.io` | ||||||||||||||||||||||||||||||||||||||
- `user-data.cloud.seqera.io` | ||||||||||||||||||||||||||||||||||||||
- `tower.nf` | ||||||||||||||||||||||||||||||||||||||
- `api.tower.nf` | ||||||||||||||||||||||||||||||||||||||
- `connect.cloud.seqera.io` and its subdomains `*.connect.cloud.seqera.io` | ||||||||||||||||||||||||||||||||||||||
- `hub.seqera.io` | ||||||||||||||||||||||||||||||||||||||
- `intern.seqera.io` | ||||||||||||||||||||||||||||||||||||||
- `wave.seqera.io` | ||||||||||||||||||||||||||||||||||||||
- `community.wave.seqera.io` | ||||||||||||||||||||||||||||||||||||||
- `cerbero.seqera.io` | ||||||||||||||||||||||||||||||||||||||
- `public.cr.seqera.io` | ||||||||||||||||||||||||||||||||||||||
- `auth.cr.seqera.io` | ||||||||||||||||||||||||||||||||||||||
- `cr.seqera.io` | ||||||||||||||||||||||||||||||||||||||
- `licenses.seqera.io` | ||||||||||||||||||||||||||||||||||||||
- `api.multiqc.info` | ||||||||||||||||||||||||||||||||||||||
- `fusionfs.seqera.io` | ||||||||||||||||||||||||||||||||||||||
- `nf-xpack.seqera.io` | ||||||||||||||||||||||||||||||||||||||
- `community-cr-prod.seqera.io` | ||||||||||||||||||||||||||||||||||||||
- `fusionfs.seqera.io` | ||||||||||||||||||||||||||||||||||||||
- `nf-xpack.seqera.io` | ||||||||||||||||||||||||||||||||||||||
- `public-cr-prod.seqera.io` | ||||||||||||||||||||||||||||||||||||||
- `wave-cache-prod-cloudflare.seqera.io` | ||||||||||||||||||||||||||||||||||||||
- `fusionfs.seqera.io.cdn.cloudflare.net` | ||||||||||||||||||||||||||||||||||||||
- `nf-xpack.seqera.io.cdn.cloudflare.net` | ||||||||||||||||||||||||||||||||||||||
- `community-cr-prod.seqera.io.cdn.cloudflare.net` | ||||||||||||||||||||||||||||||||||||||
- `fusionfs.seqera.io.cdn.cloudflare.net` | ||||||||||||||||||||||||||||||||||||||
- `nf-xpack.seqera.io.cdn.cloudflare.net` | ||||||||||||||||||||||||||||||||||||||
- `public-cr-prod.seqera.io.cdn.cloudflare.net` | ||||||||||||||||||||||||||||||||||||||
- `wave-cache-prod-cloudflare.seqera.io.cdn.cloudflare.net` | ||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||
If you choose to filter by specific DNS records, please note that new services may be added in the future. | ||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||
:::note | ||||||||||||||||||||||||||||||||||||||
If your allowlist is based on IP addresses, allow all of the following IP addresses: https://www.cloudflare.com/ips/. | ||||||||||||||||||||||||||||||||||||||
::: |
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -5,6 +5,37 @@ date: "21 Apr 2023" | |||||
tags: [networking, configuration] | ||||||
--- | ||||||
|
||||||
To self-host your installation of Seqera Platform Enterprise, a number of inbound and outbound connections must be allowed within and external to your environment. This page details the ingress and egress networking considerations required for your Seqera Enterprise deployment. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
## Firewall configuration | ||||||
|
||||||
Your Seqera Enterprise must be allowed to communicate with licences.seqera.io on port 443. The IP addresses for this service are: | ||||||
- 35.179.197.5/32 | ||||||
- 18.175.79.222/32 | ||||||
- 3.11.38.17/32 | ||||||
Comment on lines
+12
to
+15
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. here we should just reference meta.seqera.io and specify that administrators should allowlist the |
||||||
|
||||||
### Fusion and other Enterprise plugins | ||||||
|
||||||
[Fusion file system](../../supported_software/fusion/overview.md) and other Seqera Enterprise plugins have built-in licence checking built-in. As such, you must also allow network traffic from the your Seqera compute environment executing Nextflow jobs. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Which service is validating fusion licenses? Is it license manager? We should specify that customers should allowlist our ingress IPs then |
||||||
|
||||||
### Studios | ||||||
|
||||||
See [Studios deployment](../studios.md) for details on the Seqera-hosted URLs, and internal subdomains of your Platform instance host domain, that must be allowed for ingress and egress traffic. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
### Wave | ||||||
|
||||||
To use Seqera Cloud-hosted [Wave](https://docs.seqera.io/wave) with the Mirror or Freeze functionality, which requires Wave to store built containers within your container registry, you must to ensure that the wave-build VPC is allowed to push to your container registry. For most cloud providers, this requires additional configuration to lock down, but is generally allowed by default. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
Ensure your Enterprise instance can communicate with the following Seqera-hosted Wave service IP addresses on port 443: | ||||||
|
||||||
- 18.135.7.45/32 | ||||||
- 18.169.21.18/32 | ||||||
- 18.171.4.252/32 | ||||||
Comment on lines
+29
to
+33
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. here we should just reference meta.seqera.io and specify that administrators should allowlist the |
||||||
|
||||||
### Restricting outbound traffic | ||||||
|
||||||
To restrict outbound traffic from your Enterprise installation, you must allow access to Seqera assets hosted on Cloudflare, Nextflow assets hosted on Github artifacts, and any code hosting solutions or third party dependancies you require, such as Github, Gitlab, or Artifactory. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It's not clear to me which assets we're referring to, and we're not specifying IPs/DNS entries to allowlist Also, the wording isn't really clear in general |
||||||
|
||||||
## HTTP proxy environment variables | ||||||
|
||||||
:::caution | ||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's make customers subscribe to a specific version
if in the future we'll rework the meta endpoint to use a new formatting we'll create a new version (this won't be the case for a simple IP update)