Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ID-1315] Download list of Azure IP addresses #1736

Draft
wants to merge 2 commits into
base: develop
Choose a base branch
from

Conversation

samanehsan
Copy link
Contributor

Jira ticket: https://broadworkbench.atlassian.net/browse/ID-1315

Addresses

DRSHub now sends the client IP address in the request header when resolving a DRS URI. If AnVIL data is being requested and the IP address is not from Azure, TDR should reject the request to prevent egress charges. In order to do this, TDR needs to get and maintain a list of Azure IP addresses.

Summary of changes

Download the list of Azure IPs (published weekly) and create a mapping of region ids to IP addresses to be used in the DrsService.

Testing Strategy

This will eventually be used to ensure
only requests from Azure IP addresses are
allowed to access Anvil data on Azure (to
prevent egress charges).
public Map<Integer, List<String>> azureIPs() throws IOException {
URL url =
new URL(
"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20240708.json");
Copy link
Contributor Author

@samanehsan samanehsan Jul 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just hard-coded this url for testing btw. It actually changes when the file is updated once a week so our options are to:

  1. Parse the download url from https://www.microsoft.com/en-us/download/details.aspx?id=56519
  2. Use the https://learn.microsoft.com/en-us/rest/api/virtualnetwork/service-tags/list?view=rest-virtualnetwork-2024-01-01 API endpoint (this requires a subscription id though)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah dang yeah thats annoying, i think using the API endpoint is the move, not sure about the subscription we should use for that though, id ask about it in #dsp-azure

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The second object won't get use Azure IP ranges. It'll just list the Public IPs within a subscription, which are a specific Azure resource

Copy link

ObjectMapper objectMapper = new ObjectMapper();
JsonNode data = objectMapper.readTree(url);
JsonNode values = data.get("values");
// Map {Region ID: List of IP addresses}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm mapping based on the region id here, since we may need to only allow IPs from certain regions for AXIN. I'm still trying to find the regions those ids correspond to...

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

@tlangs tlangs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be helpful to use something like https://seancfoley.github.io/IPAddress/. That way, we have the utilities to check if a given IP is in a cidr block, and other useful features!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants