From 52db88b13e9e81ea8c65e88c5bd6144cd63a87ae Mon Sep 17 00:00:00 2001 From: Elsa Mayra Irgens Date: Wed, 23 Oct 2024 15:37:40 +0200 Subject: [PATCH] Update private link documentation --- .../docs/docs/topic-private-link/index.md | 43 ++++---------- public-site/docs/guides/private-link/index.md | 56 +++++++++++++++++++ public-site/sidebars.ts | 1 + 3 files changed, 67 insertions(+), 33 deletions(-) create mode 100644 public-site/docs/guides/private-link/index.md diff --git a/public-site/docs/docs/topic-private-link/index.md b/public-site/docs/docs/topic-private-link/index.md index ce831b99..90d03bbc 100644 --- a/public-site/docs/docs/topic-private-link/index.md +++ b/public-site/docs/docs/topic-private-link/index.md @@ -9,9 +9,7 @@ When running an application in Radix and there is a need to access external Azur More information can be found in the [Azure documentation](https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview) :::tip Omnia Classic governance - -Private links have other [policies](https://docs.omnia.equinor.com/governance/security/components/v4/vnet-private-link/#introduction) in Omnia Classic subscriptions, which makes it not possible to establish services like Private Endpoints with Radix. More information in [Omnia Docs](https://docs.omnia.equinor.com/products/classic/PrivateEndpoints-documentation-for-AppTeams/) - +Private links have other [policies](https://docs.omnia.equinor.com/governance/security/components/v4/vnet-private-link/#introduction) in Omnia Classic subscriptions, which makes it impossible to establish services like Private Endpoints with Radix. More information in [Omnia Docs](https://docs.omnia.equinor.com/products/classic/PrivateEndpoints-documentation-for-AppTeams/) ::: :::tip Tips @@ -21,44 +19,23 @@ An alternative can be to host an API in Omnia Classic, publish this in [APIM](ht ![Illustration](private-link-service-workflow-expanded.png) -In order to establish a Private Endpoint from Radix to your external resource, the following information is needed: +In order to establish a Private Endpoint from Radix to your external resource, follow instructions in the [Private Link Guide](/guides/private-link/). + +The following information is needed: - Subscription owner - Subscription ID - Resource ID (found in the properties of a resource in the Azure portal) -:::tip +:::tip Sample Resource ID example: `/subscriptions/A01234567-bc89-123d-ef45-678g9hi12jkl/resourceGroups/Some_RG_Prod/providers/Microsoft.Sql/servers/sql-some-prod` ::: -## Instructions - -The creation of Private Endpoints in Radix is a semi automated process, and the destination subscription must be part of Omnia Standalone. - -The destination subscription must be whitelisted in an Azure policy managed by [Solum](https://github.com/equinor/Solum). The policy allows the creation of Private Endpoints Connections only to Private Link Services in a list of whitelisted subscriptions. -Adding a subscription to the whitelist is done by making a pull request to the Solum repository or submit an issue in GitHub. This is where most of the information is required, and the Subscription Owner will have to validate the request. -`Important:` If the target subscription are in this list [for Platform and Platform2](https://github.com/equinor/Solum/blob/master/src/platform/policyConfig/policy-assignments/S940_OP-Allow-PLS-Sub.json) or [for Playground](https://github.com/equinor/Solum/blob/master/src/platform/policyConfig/policy-assignments/S941_OP-Allow-PLS-Sub.json) the requirments are met. - -When the pull request has been approved and merged, the policy will be updated. After that, a issue [request a new private link](https://github.com/equinor/radix/issues/new?template=privatelink.yaml) can be made using the `Resource ID`. -The three input fields that need to be submitted: -``` -- [x]Confirm target subscription are whitelisted by Solum (as described above) -- Resource ID: - /subscriptions/A01234567-bc89-123d-ef45-678g9hi12jkl/resourceGroups/Some_RG_Prod/providers/Microsoft.Sql/servers/sql-some-prod -- Radix environment (either): - - Platform NE - - Platform WE - - Playground -``` -Radix team will now get a notification about the issue, and approve the privatelink if all requirements are met. -The submitter will get a mail with text 'Private link is created but needs manuall approval in Azure Portal.' - -This will show up as a pending request in the destination subscription. When the user approves the request, a Private Endpoint will be created on the destination subscription, and a Private Link between the two endpoints will be established. - -The user can continue using the same FQDN to access the remote resource after the Private Endpoint has been created. +This will show up as a pending request in the destination subscription. When the request is approved, a Private Endpoint will be created in your subscription, and a Private Link between the two endpoints will be established. -## Caveats +You can continue using the same FQDN to access the remote resource after the Private Endpoint has been created. -In order to support resolution of Private Endpoint enabled resources in Omnia Classic from on-premise, Equinor's on-premise DNS servers forward e.g. lookups to privatelink.blob.core.windows.net to a centrally managed Private DNS Zone in Omnia Classic with the same name. This forwarding does not apply to all types of Private Endpoints. See the [Omnia platform team's documentation](https://docs.omnia.equinor.com/products/classic/PrivateEndpoints-documentation-for-AppTeams/#omnia-classic-private-endpoint-implementation) for an overview. -If you create a Private Endpoint on a resource in Omnia Standalone to Omnia Radix, *and* that resource type has a Private Endpoint DNS zone which is forwarded to Omnia Classic, then that resource will not be resolvable from on-premise. This applies e.g. to Blob Storage for Azure Storage Accounts. \ No newline at end of file +:::warning +If you create a Private Endpoint on a resource in Omnia Standalone to Omnia Radix, *and* that resource type has a Private Endpoint DNS zone which is forwarded to Omnia Classic, then that resource will not be resolvable from on-premise. This applies e.g. to Blob Storage for Azure Storage Accounts. +::: \ No newline at end of file diff --git a/public-site/docs/guides/private-link/index.md b/public-site/docs/guides/private-link/index.md new file mode 100644 index 00000000..6db4cef3 --- /dev/null +++ b/public-site/docs/guides/private-link/index.md @@ -0,0 +1,56 @@ +--- +title: Request Private Link +--- + +The creation of Private Endpoints in Radix is a semi automated process, and the destination subscription must be part of Omnia Standalone. + +## Prerequisite + +The destination subscription must be whitelisted in an Azure policy managed by [Solum](https://github.com/equinor/Solum). The policy allows the creation of Private Endpoints Connections only to Private Link Services in a list of whitelisted subscriptions. + +:::tip Check if the subscription is whitelisted +`Important:` If the target subscription are in this list [for Platform and Platform2](https://github.com/equinor/Solum/blob/master/src/platform/policyConfig/policy-assignments/S940_OP-Allow-PLS-Sub.json) or [for Playground](https://github.com/equinor/Solum/blob/master/src/platform/policyConfig/policy-assignments/S941_OP-Allow-PLS-Sub.json) the requirments are met. +::: + +### How to add whitelist for your subscription + +1. Create a Pull Request in the repo + +Fork the Solum repo, and update the following file +/src/platform/policyConfig/policy-assignments/S940_OP-Allow-PLS-Sub.json - for Radix Platform +/src/platform/policyConfig/policy-assignments/S941_OP-Allow-PLS-Sub.json - for Radix Playground + +Commit and add the PR, including this information: +"This PR needs to be approved by Technical owner `githubuser` and the `name`" + + - or - +2. Ask us to whitelist the subscription + +Provide the following information in the issue (request) +Subscription ID +GitHub `username` and the `name` of the Technical owner of the subscription + +When the pull request has been approved and merged, the policy will be updated. + +## Request the Private Link/Endpoint + +Create an issue in the main Radix repo,[request a new private link](https://github.com/equinor/radix/issues/new?template=privatelink.yaml) + +``` +- [x] Confirm target subscription are whitelisted by Solum (as described above) - or - +- [x] Request the Whitelist to be done by us +- Resource ID: `Id of the destination resource` + *sample* + /subscriptions/A01234567-bc89-123d-ef45-678g9hi12jkl/resourceGroups/Some_RG_Prod/providers/Microsoft.Sql/servers/sql-some-prod +- Radix environment (either): + - Radix Platform (North Europe) + - Radix Platform 2 (West Europe) + - Radix Playground +``` +The issue/request will be prosessed by Radix team and approve the privatelink if all requirements are met. + +The submitter will get a mail with text 'Private link is created but needs manual approval in Azure Portal.' + +This will show up as a pending request in the destination subscription. When the user approves the request, a Private Endpoint will be created on the destination subscription, and a Private Link between the two endpoints will be established. + +The user can continue using the same FQDN to access the remote resource after the Private Endpoint has been created. diff --git a/public-site/sidebars.ts b/public-site/sidebars.ts index 95109d16..7416d056 100644 --- a/public-site/sidebars.ts +++ b/public-site/sidebars.ts @@ -45,6 +45,7 @@ const sidebars: SidebarsConfig = { 'guides/docker/index', 'guides/docker-useradd/index', 'guides/azure-key-vaults/index', + 'guides/private-link/index', 'guides/build-secrets/index', 'guides/environment-variables/index', 'guides/enable-and-disable-components/index',