Skip to content

Commit

Permalink
Merge pull request #417 from equinor/private-link
Browse files Browse the repository at this point in the history 
Update private link documentation
  • Loading branch information
@emirgens
emirgens authored Oct 24, 2024
2 parents fdae13e + 52db88b commit 2b9dceb
Show file tree
Hide file tree
Showing 3 changed files with 67 additions and 33 deletions.
43 changes: 10 additions & 33 deletions public-site/docs/docs/topic-private-link/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,7 @@ When running an application in Radix and there is a need to access external Azur
More information can be found in the [Azure documentation](https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview)

:::tip Omnia Classic governance

Private links have other [policies](https://docs.omnia.equinor.com/governance/security/components/v4/vnet-private-link/#introduction) in Omnia Classic subscriptions, which makes it not possible to establish services like Private Endpoints with Radix. More information in [Omnia Docs](https://docs.omnia.equinor.com/products/classic/PrivateEndpoints-documentation-for-AppTeams/)

Private links have other [policies](https://docs.omnia.equinor.com/governance/security/components/v4/vnet-private-link/#introduction) in Omnia Classic subscriptions, which makes it impossible to establish services like Private Endpoints with Radix. More information in [Omnia Docs](https://docs.omnia.equinor.com/products/classic/PrivateEndpoints-documentation-for-AppTeams/)
:::

:::tip Tips
Expand All @@ -21,44 +19,23 @@ An alternative can be to host an API in Omnia Classic, publish this in [APIM](ht

![Illustration](private-link-service-workflow-expanded.png)

In order to establish a Private Endpoint from Radix to your external resource, the following information is needed:
In order to establish a Private Endpoint from Radix to your external resource, follow instructions in the [Private Link Guide](/guides/private-link/).

The following information is needed:

- Subscription owner
- Subscription ID
- Resource ID (found in the properties of a resource in the Azure portal)

:::tip
:::tip Sample
Resource ID example: `/subscriptions/A01234567-bc89-123d-ef45-678g9hi12jkl/resourceGroups/Some_RG_Prod/providers/Microsoft.Sql/servers/sql-some-prod`
:::

## Instructions

The creation of Private Endpoints in Radix is a semi automated process, and the destination subscription must be part of Omnia Standalone.

The destination subscription must be whitelisted in an Azure policy managed by [Solum](https://github.com/equinor/Solum). The policy allows the creation of Private Endpoints Connections only to Private Link Services in a list of whitelisted subscriptions.
Adding a subscription to the whitelist is done by making a pull request to the Solum repository or submit an issue in GitHub. This is where most of the information is required, and the Subscription Owner will have to validate the request.
`Important:` If the target subscription are in this list [for Platform and Platform2](https://github.com/equinor/Solum/blob/master/src/platform/policyConfig/policy-assignments/S940_OP-Allow-PLS-Sub.json) or [for Playground](https://github.com/equinor/Solum/blob/master/src/platform/policyConfig/policy-assignments/S941_OP-Allow-PLS-Sub.json) the requirments are met.

When the pull request has been approved and merged, the policy will be updated. After that, a issue [request a new private link](https://github.com/equinor/radix/issues/new?template=privatelink.yaml) can be made using the `Resource ID`.
The three input fields that need to be submitted:
```
- [x]Confirm target subscription are whitelisted by Solum (as described above)
- Resource ID:
/subscriptions/A01234567-bc89-123d-ef45-678g9hi12jkl/resourceGroups/Some_RG_Prod/providers/Microsoft.Sql/servers/sql-some-prod
- Radix environment (either):
- Platform NE
- Platform WE
- Playground
```
Radix team will now get a notification about the issue, and approve the privatelink if all requirements are met.
The submitter will get a mail with text 'Private link is created but needs manuall approval in Azure Portal.'

This will show up as a pending request in the destination subscription. When the user approves the request, a Private Endpoint will be created on the destination subscription, and a Private Link between the two endpoints will be established.

The user can continue using the same FQDN to access the remote resource after the Private Endpoint has been created.
This will show up as a pending request in the destination subscription. When the request is approved, a Private Endpoint will be created in your subscription, and a Private Link between the two endpoints will be established.

## Caveats
You can continue using the same FQDN to access the remote resource after the Private Endpoint has been created.

In order to support resolution of Private Endpoint enabled resources in Omnia Classic from on-premise, Equinor's on-premise DNS servers forward e.g. lookups to privatelink.blob.core.windows.net to a centrally managed Private DNS Zone in Omnia Classic with the same name. This forwarding does not apply to all types of Private Endpoints. See the [Omnia platform team's documentation](https://docs.omnia.equinor.com/products/classic/PrivateEndpoints-documentation-for-AppTeams/#omnia-classic-private-endpoint-implementation) for an overview.

If you create a Private Endpoint on a resource in Omnia Standalone to Omnia Radix, *and* that resource type has a Private Endpoint DNS zone which is forwarded to Omnia Classic, then that resource will not be resolvable from on-premise. This applies e.g. to Blob Storage for Azure Storage Accounts.
:::warning
If you create a Private Endpoint on a resource in Omnia Standalone to Omnia Radix, *and* that resource type has a Private Endpoint DNS zone which is forwarded to Omnia Classic, then that resource will not be resolvable from on-premise. This applies e.g. to Blob Storage for Azure Storage Accounts.
:::
56 changes: 56 additions & 0 deletions public-site/docs/guides/private-link/index.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
---
title: Request Private Link
---

The creation of Private Endpoints in Radix is a semi automated process, and the destination subscription must be part of Omnia Standalone.

## Prerequisite

The destination subscription must be whitelisted in an Azure policy managed by [Solum](https://github.com/equinor/Solum). The policy allows the creation of Private Endpoints Connections only to Private Link Services in a list of whitelisted subscriptions.

:::tip Check if the subscription is whitelisted
`Important:` If the target subscription are in this list [for Platform and Platform2](https://github.com/equinor/Solum/blob/master/src/platform/policyConfig/policy-assignments/S940_OP-Allow-PLS-Sub.json) or [for Playground](https://github.com/equinor/Solum/blob/master/src/platform/policyConfig/policy-assignments/S941_OP-Allow-PLS-Sub.json) the requirments are met.
:::

### How to add whitelist for your subscription

1. Create a Pull Request in the repo

Fork the Solum repo, and update the following file
/src/platform/policyConfig/policy-assignments/S940_OP-Allow-PLS-Sub.json - for Radix Platform
/src/platform/policyConfig/policy-assignments/S941_OP-Allow-PLS-Sub.json - for Radix Playground

Commit and add the PR, including this information:
"This PR needs to be approved by Technical owner `githubuser` and the `name`"

- or -
2. Ask us to whitelist the subscription

Provide the following information in the issue (request)
Subscription ID
GitHub `username` and the `name` of the Technical owner of the subscription

When the pull request has been approved and merged, the policy will be updated.

## Request the Private Link/Endpoint

Create an issue in the main Radix repo,[request a new private link](https://github.com/equinor/radix/issues/new?template=privatelink.yaml)

```
- [x] Confirm target subscription are whitelisted by Solum (as described above) - or -
- [x] Request the Whitelist to be done by us
- Resource ID: `Id of the destination resource`
*sample*
/subscriptions/A01234567-bc89-123d-ef45-678g9hi12jkl/resourceGroups/Some_RG_Prod/providers/Microsoft.Sql/servers/sql-some-prod
- Radix environment (either):
- Radix Platform (North Europe)
- Radix Platform 2 (West Europe)
- Radix Playground
```
The issue/request will be prosessed by Radix team and approve the privatelink if all requirements are met.

The submitter will get a mail with text 'Private link is created but needs manual approval in Azure Portal.'

This will show up as a pending request in the destination subscription. When the user approves the request, a Private Endpoint will be created on the destination subscription, and a Private Link between the two endpoints will be established.

The user can continue using the same FQDN to access the remote resource after the Private Endpoint has been created.
1 change: 1 addition & 0 deletions public-site/sidebars.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ const sidebars: SidebarsConfig = {
'guides/docker/index',
'guides/docker-useradd/index',
'guides/azure-key-vaults/index',
'guides/private-link/index',
'guides/build-secrets/index',
'guides/environment-variables/index',
'guides/enable-and-disable-components/index',
Expand Down

0 comments on commit 2b9dceb

Please sign in to comment.