Define firewall rules for windows VM
Overview
We need to define a specific set of rules for our virtual machines so things like rdp are disabled, no public IP for the machine is given so harden the security of the machine, and make sure that only the Runner Manager can access the machine.
Requirements
- Private Google Access needs to be enabled for KMS validation without external IP's
- WinRM access to Runner VM's from Runner Manager
- Only internet bound egress traffic from Runner VM's. They should not be able to initiate connections to Runner Manager or other Runner VM's.
Implementation Options
There seems to be three possible way to do it, we are not sure which solution is the best and which is one the most scaleable, we would need to investigate which one is the proper solution.
Define network resource per build
Using the SDK we can define a new network for every time you create a new virtual machine. This is shown in the powershell example where the rules are defined all the time, if we go this route we need to have this configurable from the custom executor plugin.
Attach an existing network
Create a network once and then have every VM connect to that network, this can be a bit risky since that would mean that every VM can talk to one another if we don't configure it properly. If we go with this route we can have it provisioned with terraform.
Use network tags
-
Define a tag for the Runner Manager VM
-
Define a tag for the Runner VM's
-
Allow connectivity from Runner Manager VM to Runner VM's for WinRM
-
Restrict Runner VM egress traffic to only internet gateway
Ports/Rules
- Communication over winRM requires port
5986
to be open for packer builds this will also be needed for GitLab Runner driver to run commands on the host. We can have this port only exposed internally for a Runner to build the image and for Custom Executor to communicate. Exposing this to the internet is dangerous.