Best pratice for service IP restrictions

[tomdoel]

IP access to the FBM services is managed through the security groups of the relevant components (e.g. load balancers, network interfaces) and ACLs of the subnets. Incoming access is currently restricted to the subnets of the relevant VPCs, so that access is only permitted from within the VPC, through the VPN or through specific VPC peering routes.

Following best practice, access could be further restricted so that each FBM component can only communicate with the components it needs to. For example:

• consider separating the networking (mqtt+restful) and researcher (jupyter+tensorboard+other future containers) into separate subnets or separate VPCs. This is to give a stronger separation between the networking components (to which only system administrators should have direct acces) and the researcher network (which could have multiple services to which researchers could connect through VPN)
• For both the researcher and node VPNs, restrict access from VPN to only the required subnet of VPC resources (i.e. the web server load balancers) - this could be done for example by creating additional subnets
• Add outgoing SG restrictions instead of the AWS defaults
• For the network services (mqtt+restful), restrict access to specific components. This can be done directly by adding explicit permissions between components (although this can be difficult to manage in CDK due to cross-stack dependency issues), or it can be done indirectly by using subnets
• Add ACL restrictions

Note: if incoming/outgoing access is restricted, additional permissions may be needed to connect to AWS endpoints which use VPC (such as the ECR, parameter store, secrets manager which are used in ECS deployment)