12 KiB
Prevent-unverified-IP-addresses-from-accessing-tenants_688996491
This topic describes how to ensure that only the verified IP addresses have access to the SMAX, Audit, and CMS tenants. It's applicable for customers who require a high level of security and want to limit access to their tenants to a given IP range only. You can achieve this by leveraging Web Application Firewall (WAF) in AWS. See AWS WAF for more information about WAF.
Follow these steps:
-
Go to the AWS Console and create (up to) 3 IP Sets (see Creating an IP set):
- Allow-Users-Zero-Trust-IPSet-: The IP range used by the customer for UI access (e.g. the IPs used by the customer HTTPS proxy).
- Allow-NAT-Gateway-IPSet: contains the IP(s) of the NAT Gateway of current SaaS farm's VPC (see All NAT Gateway IPs to find these IPs). This is required to allow ESM products to talk to each other via external FQDN. Also allows nginx integration traffic to be accepted by the ALB. Note This IP set might already exist if you have enabled other customers for zero trust, in which case it can be reused.
- Allow-Troubleshooting-IPSet: IPs which allow us access to troubleshoot customer tenants. You can add the IPs of some corporate proxies or (temporarily) of some select individuals that are required to access customer tenants. If temporary IPs are added please make sure to delete them after access is no longer required.
- Allow-Users-Zero-Trust-IPSet-: The IP range used by the customer for UI access (e.g. the IPs used by the customer HTTPS proxy).
-
On farms that do not have WAFs yet, create 4 different web ACLs for SMAX/Audit/CMS/OO with default settings. See Creating a web ACL. Then add WAF rules in below steps to corresponding web ACLs. On farms which have WAFs enabled, add the below rule(s) to the corresponding existing web ACLs.
-
Add the rule to SMAX/Audit/OO web ACLs. Go to the AWS Console > WAF & Shield, find the existing web ACL or the web ACL you created in step 2. Click Rules tab, and then navigate to Add rules > Add my own rules and rule groups. Click the Rule builder > Rule JSON editor. Paste the following content in JSON, click Validate and then click Add rule to save your configuration.
{ "Name": "tenant-ip-filter-<TenantID>", "Priority": 0, "Statement": { "AndStatement": { "Statements": [ { "OrStatement": { "Statements": [ { "ByteMatchStatement": { "SearchString": "<TenantID>", "FieldToMatch": { "SingleQueryArgument": { "Name": "tenantid" } }, "TextTransformations": [ { "Priority": 0, "Type": "NONE" } ], "PositionalConstraint": "EXACTLY" } }, { "ByteMatchStatement": { "SearchString": "rest/<TenantID>", "FieldToMatch": { "UriPath": {} }, "TextTransformations": [ { "Priority": 0, "Type": "NONE" } ], "PositionalConstraint": "CONTAINS" } }, { "ByteMatchStatement": { "SearchString": "<TenantID>", "FieldToMatch": { "Cookies": { "MatchPattern": { "IncludedCookies": [ "TENANTID" ] }, "MatchScope": "VALUE", "OversizeHandling": "NO_MATCH" } }, "TextTransformations": [ { "Priority": 0, "Type": "NONE" } ], "PositionalConstraint": "EXACTLY" } } ] } }, { "NotStatement": { "Statement": { "OrStatement": { "Statements": [ { "IPSetReferenceStatement": { "ARN": "<Allow-Users-Zero-Trust-IPSet-TenantID-ARN>" } }, { "IPSetReferenceStatement": { "ARN": "<Allow-NAT-Gateway-IPSet-ARN>" } }, { "IPSetReferenceStatement": { "ARN": "<Allow-Troubleshooting-IPSet-ARN>" } } ] } } } } ] } }, "Action": { "Block": {} }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "tenant-ip-filter-<TenantID>" } }Note Replace the
<TenantID>with the real Tenant ID you wish to apply the rule to, and then replace<Allow-Users-Zero-Trust-IPSet-TenantID-ARN>, <Allow-NAT-Gateway-IPSet-ARN>, <Allow-Troubleshooting-IPSet-ARN>with the ARNs of the IP Sets created in step 1.If the same customer has multiple tenants with the same IP allowlist, the rules can be consolidated. For example, instead of:
"ByteMatchStatement": { "SearchString": "<TenantID>", ...use:
"RegexMatchStatement": { "RegexString": "^(<TenantID-1>|<TenantID-2>)$", ... -
Set rule priority. For SMAX, add it after "nat-gateway-IPset" rule. For Audit and OO, put it at top. Validate and then save your configuration. Repeat this step till this rule is added to all SMAX/Audit/OO web ACLs.
-
Add the rule for CMS web ACL. Find the CMS web ACL in AWS console > WAF & Shield. Click Rules tab, and then navigate to Add rules > Add my own rules and rule groups. Click the Rule builder > Rule JSON editor. Paste the following content in JSON, click Validate and then click Add rule to save your configuration:
{ "Name": "tenant-cms-ip-filter-<CustomerID>", "Priority": 0, "Statement": { "AndStatement": { "Statements": [ { "OrStatement": { "Statements": [ { "ByteMatchStatement": { "SearchString": "<CustomerID>", "FieldToMatch": { "SingleQueryArgument": { "Name": "customerid" } }, "TextTransformations": [ { "Priority": 0, "Type": "NONE" } ], "PositionalConstraint": "EXACTLY" } }, { "ByteMatchStatement": { "SearchString": "<CustomerID>", "FieldToMatch": { "Cookies": { "MatchPattern": { "IncludedCookies": [ "customerID" ] }, "MatchScope": "VALUE", "OversizeHandling": "NO_MATCH" } }, "TextTransformations": [ { "Priority": 0, "Type": "NONE" } ], "PositionalConstraint": "EXACTLY" } } ] } }, { "NotStatement": { "Statement": { "OrStatement": { "Statements": [ { "IPSetReferenceStatement": { "ARN": "<Allow-Users-Zero-Trust-IPSet-TenantID-ARN>" } }, { "IPSetReferenceStatement": { "ARN": "<Allow-NAT-Gateway-IPSet-ARN>" } }, { "IPSetReferenceStatement": { "ARN": "<Allow-Troubleshooting-IPSet-ARN>" } } ] } } } } ] } }, "Action": { "Block": {} }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "tenant-cms-ip-filter-<CustomerID>" } }Note Replace the
<CustomerID>with the real Customer IDyou wish to apply the rule to (CMS customerID = SMAX TenantID), and then replace<Allow-Users-Zero-Trust-IPSet-TenantID-ARN>, <Allow-NAT-Gateway-IPSet-ARN>, <Allow-Troubleshooting-IPSet-ARN>with the ARNs of the IP Sets created in step 1.If the same customer has multiple customer IDs with the same IP allowlist, the rules can be consolidated. For example, instead of:
"ByteMatchStatement": { "SearchString": "<CustomerID>", ...use:
"RegexMatchStatement": { "RegexString": "^(<CustomerID-1>|<CustomerID-2>)$", ... -
Set rule priority as the top one.
-
On farms that did not have existing WAFs, associate the newly created Web ACLs with the corresponding ALBs
Instead of associate the ACL manually, you need to associate ALC to ALB by editing the ingress like below:
sudo kubectl edit ingress -n itsma-namespace sma-ingress -oyaml add a line like below:
alb.ingress.kubernetes.io/wafv2-acl-arn: arn:aws:wafv2:xxxxxxxx (which is the ARN of the Web ACL) Note If this WebACL only have one rule added, set "Default web ACL action for requests that don't match any rules" on the "Rules" tab to "Allow"
Related pages
- Page: ESM Cloud Farm Version Tracking
- Page: How to get an Opentext Confluence account
- Page: ITOM APM AppPluse Cloud Farm Information
- Page: ITOM Cloud Service Ops Doc Management Process
- Page: ITOM ESM Cloud Service Catalog
- Page: ITOM OpsB NOM Cloud Service Catalog
- Page: OpsB and NOM Cloud Deployments Version Tracking