Skip to content

Commit

Permalink
fix: add note about updating transitivity firewall rules in the Hub a…
Browse files Browse the repository at this point in the history 
…nd Spoke network mode (#906)

* add note about updating transitivity firewall rules in the Hub and Spoke network mode

* Apply suggestions from code review

Co-authored-by: Max Portocarrero CI&T <105444618+maxi-cit@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>

Co-authored-by: Max Portocarrero CI&T <105444618+maxi-cit@users.noreply.github.com>
Co-authored-by: Andrew Peabody <andrewpeabody@google.com>
Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>
  • Loading branch information
@daniel-cit @maxi-cit
@apeabody @bharathkkb
4 people committed Dec 10, 2022
1 parent cf4ebac commit 4211162
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion 3-networks-hub-and-spoke/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,13 @@ commands. The `-T` flag is needed for Linux, but causes problems for MacOS.

This step uses the **Hub and Spoke** architecture mode.
More details can be found at the **Networking** section of the [Google cloud security foundations guide](https://cloud.google.com/architecture/security-foundations/networking#hub-and-spoke).
To enabled **Hub and Spoke** [transitivity](https://cloud.google.com/architecture/security-foundations/networking#hub-and-spoke_transitivity) set the variable `enable_hub_and_spoke_transitivity` to `true`.

**Hub and Spoke** [transitivity](https://cloud.google.com/architecture/security-foundations/networking#hub-and-spoke_transitivity) can be used to deploy network virtual appliances (NVAs) on the hub Shared VPC that act as gateways for the spoke-to-spoke traffic to allow connectivity across environments.
To enable **Hub and Spoke** transitivity set the variable `enable_hub_and_spoke_transitivity` to `true`.

**Note:** The default `allow-transitivity-ingress` firewall rule will create Security Command Center (SCC) findings because it allows ingress for all ports and protocols in the [Shared Address Space CIDR Block](https://en.wikipedia.org/wiki/IPv4_shared_address_space) set in this rule.
Because of this, you should update the implemented network access controls between spokes with valid values for your environment through the [firewall functionality](./modules/transitivity/main.tf#L142) of the corresponding NVAs to make them more restrictive.

To see the version that makes use of the **Dual Shared VPC** architecture mode check the step [3-networks-dual-svpc](../3-networks-dual-svpc).

### Using Dedicated Interconnect
Expand Down

0 comments on commit 4211162

Please sign in to comment.