Updated diagram and documentation for decentralized firewall.
This commit is contained in:
parent
37e946c334
commit
fc7a7228d5
|
@ -2,15 +2,24 @@
|
|||
|
||||
This sample shows how a decentralized firewall management can be organized using the [firewall-yaml](../../modules/net-vpc-firewall-yaml) module.
|
||||
|
||||
This approach is a good fit when Shared VPCs are used across multiple application/infrastructure teams. A central repository keeps environment/team specific folders with firewall definitions in `yaml` format.
|
||||
This approach is a good fit when Shared VPCs are used across multiple application/infrastructure teams. A central repository keeps environment/team
|
||||
specific folders with firewall definitions in `yaml` format.
|
||||
|
||||
In the current example multiple teams can define their [VPC Firewall Rules](https://cloud.google.com/vpc/docs/firewalls) for [dev](./firewall/dev) and [prod](./firewall/prod) environments using team specific subfolders. Rules defined in the [common](./firewall/common) folder are applied to both dev and prod environments.
|
||||
> **_NOTE:_** Common rules are meant to be used for situations where [hierarchical rules](https://cloud.google.com/vpc/docs/firewall-policies) do not map precisely to requirements (e.g. SA, etc.)
|
||||
In the current example multiple teams can define their [VPC Firewall Rules](https://cloud.google.com/vpc/docs/firewalls)
|
||||
for [dev](./firewall/dev) and [prod](./firewall/prod) environments using team specific subfolders. Rules defined in the
|
||||
[common](./firewall/common) folder are applied to both dev and prod environments.
|
||||
|
||||
> **_NOTE:_** Common rules are meant to be used for situations where [hierarchical rules](https://cloud.google.com/vpc/docs/firewall-policies)
|
||||
do not map precisely to requirements (e.g. SA, etc.)
|
||||
|
||||
This is the high level diagram:
|
||||
|
||||
![High-level diagram](diagram.png "High-level diagram")
|
||||
|
||||
The rules can be validated either using an automated process or a manual process (or a combination of
|
||||
the two). There is an example of a YAML-based validator using [Yamale](https://github.com/23andMe/Yamale)
|
||||
in the [`validator/`](validator/) subdirectory, which can be integrated as part of a CI/CD pipeline.
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Variables
|
||||
|
||||
|
|
Binary file not shown.
Before Width: | Height: | Size: 69 KiB After Width: | Height: | Size: 290 KiB |
Loading…
Reference in New Issue