From c9a205b2e76fb3188cfae8d5e4ab4280894ee243 Mon Sep 17 00:00:00 2001 From: michaelryanmcneill Date: Tue, 22 Oct 2024 19:26:42 -0400 Subject: [PATCH 1/3] Small correction to Private Google Access --- content/gcp/cloud-ngfw/index.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/gcp/cloud-ngfw/index.md b/content/gcp/cloud-ngfw/index.md index 213e03c21..21e6174e9 100644 --- a/content/gcp/cloud-ngfw/index.md +++ b/content/gcp/cloud-ngfw/index.md @@ -114,7 +114,7 @@ Before we can deploy a Cloud NGFW, we must first create a VPC and subnets that w --nat-external-ip-pool=${prefix}-${region}-cloudnatip ``` -### Create private DNS records for Google Private Access +### Create private DNS records for Private Google Access 1. Create a private DNS zone for the `googleapis.com` domain by running the following command: ```bash @@ -153,7 +153,7 @@ Before we can deploy a Cloud NGFW, we must first create a VPC and subnets that w --ttl=300 ``` {{% alert state="info" %}} -OpenShift Dedicated relies on the Service Usage API (`serviceusage.googleapis.com`) which is [not provided by the Google Private Access restricted VIP](https://cloud.google.com/vpc-service-controls/docs/restricted-vip-services). To circumvent this, we expose the Service Usage API using the [Google Private Access private VIP](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options). This is the only service exposed by the Google Private Access private VIP in this tutorial. +OpenShift Dedicated relies on the Service Usage API (`serviceusage.googleapis.com`) which is [not provided by the Private Google Access restricted VIP](https://cloud.google.com/vpc-service-controls/docs/restricted-vip-services). To circumvent this, we expose the Service Usage API using the [Private Google Access private VIP](https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options). This is the only service exposed by the Private Google Access private VIP in this tutorial. {{% /alert %}} 1. Apply the staged record set transaction you started above by running the following command: @@ -202,7 +202,7 @@ OpenShift Dedicated relies on the Service Usage API (`serviceusage.googleapis.co ``` > These domains are sourced from internal documentation. These domains will be published in general documentation when the Private Service Connect feature is released. -1. Create an allow rule for Google Private Access endpoints by running the following command: +1. Create an allow rule for Private Google Access endpoints by running the following command: ```bash gcloud compute network-firewall-policies rules create 602 \ --description "Allow egress to Google APIs via Private Google Access" \ From 54a6d66233437b6f4a7e698947919887df769947 Mon Sep 17 00:00:00 2001 From: michaelryanmcneill Date: Tue, 22 Oct 2024 19:28:29 -0400 Subject: [PATCH 2/3] Updating rule 500 to exclude communication with RFC1918 addresses --- content/gcp/cloud-ngfw/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/gcp/cloud-ngfw/index.md b/content/gcp/cloud-ngfw/index.md index 21e6174e9..5ef95c9f4 100644 --- a/content/gcp/cloud-ngfw/index.md +++ b/content/gcp/cloud-ngfw/index.md @@ -167,13 +167,13 @@ OpenShift Dedicated relies on the Service Usage API (`serviceusage.googleapis.co 1. Create a blanket allow rule for east/west and intra-cluster traffic by running the following command: ```bash gcloud compute network-firewall-policies rules create 500 \ - --description "Allow east/west and intra-cluster connectivity" \ + --description "Allow egress to private IP ranges" \ --action=allow \ --firewall-policy=${prefix} \ --global-firewall-policy \ --direction=EGRESS \ --layer4-configs all \ - --dest-ip-ranges=${service_cidr},${machine_cidr},${pod_cidr} + --dest-ip-ranges=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 ``` 1. Create an allow rule for HTTPS (`tcp/443`) domains required for OpenShift Dedicated by running the following command: From 52bb6556b4f28f4325c7ae74f544c061af432d96 Mon Sep 17 00:00:00 2001 From: michaelryanmcneill Date: Wed, 30 Oct 2024 15:01:45 -0400 Subject: [PATCH 3/3] clean up RFC1918 language and adding missing splunk endpoint --- content/gcp/cloud-ngfw/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/gcp/cloud-ngfw/index.md b/content/gcp/cloud-ngfw/index.md index 5ef95c9f4..0c7548694 100644 --- a/content/gcp/cloud-ngfw/index.md +++ b/content/gcp/cloud-ngfw/index.md @@ -164,7 +164,7 @@ OpenShift Dedicated relies on the Service Usage API (`serviceusage.googleapis.co ### Create the Firewall Rules -1. Create a blanket allow rule for east/west and intra-cluster traffic by running the following command: +1. Create a blanket allow rule for private IP (RFC 1918) address space by running the following command: ```bash gcloud compute network-firewall-policies rules create 500 \ --description "Allow egress to private IP ranges" \ @@ -198,7 +198,7 @@ OpenShift Dedicated relies on the Service Usage API (`serviceusage.googleapis.co --global-firewall-policy \ --direction=EGRESS \ --layer4-configs tcp:9997 \ - --dest-fqdns inputs1.osdsecuritylogs.splunkcloud.com,inputs2.osdsecuritylogs.splunkcloud.com,inputs4.osdsecuritylogs.splunkcloud.com,inputs5.osdsecuritylogs.splunkcloud.com,inputs6.osdsecuritylogs.splunkcloud.com,inputs7.osdsecuritylogs.splunkcloud.com,inputs8.osdsecuritylogs.splunkcloud.com,inputs9.osdsecuritylogs.splunkcloud.com,inputs10.osdsecuritylogs.splunkcloud.com,inputs11.osdsecuritylogs.splunkcloud.com,inputs12.osdsecuritylogs.splunkcloud.com,inputs13.osdsecuritylogs.splunkcloud.com,inputs14.osdsecuritylogs.splunkcloud.com,inputs15.osdsecuritylogs.splunkcloud.com + --dest-fqdns inputs1.osdsecuritylogs.splunkcloud.com,inputs2.osdsecuritylogs.splunkcloud.com,inputs3.osdsecuritylogs.splunkcloud.com,inputs4.osdsecuritylogs.splunkcloud.com,inputs5.osdsecuritylogs.splunkcloud.com,inputs6.osdsecuritylogs.splunkcloud.com,inputs7.osdsecuritylogs.splunkcloud.com,inputs8.osdsecuritylogs.splunkcloud.com,inputs9.osdsecuritylogs.splunkcloud.com,inputs10.osdsecuritylogs.splunkcloud.com,inputs11.osdsecuritylogs.splunkcloud.com,inputs12.osdsecuritylogs.splunkcloud.com,inputs13.osdsecuritylogs.splunkcloud.com,inputs14.osdsecuritylogs.splunkcloud.com,inputs15.osdsecuritylogs.splunkcloud.com ``` > These domains are sourced from internal documentation. These domains will be published in general documentation when the Private Service Connect feature is released.