VMware Aria Automation Tools

 View Only
  • 1.  Restrict Network Profile to specific Projects

    Posted Apr 17, 2024 11:45 AM

    Hi,

    Does anyone know if I can restrict a Cloud Assembly network profile so that it can only be used by a specific project?

    We have a network profile containing networks that we only want to be available to a specific project.  I know I can use network constraints on that project to tell it to use that profile, but we want to prevent any other projects from being able to use that profile.

    Other than setting an opposing network constraint tag on every other project, I can't see a way of doing this.  The risk here is that someone will create a project and forget to put a network constraint tag on and therefore allowing them to access the one we don't want them to.

    Any suggestions would be welcome.

    Tom



  • 2.  RE: Restrict Network Profile to specific Projects

    Posted May 20, 2024 10:56 AM

    You can create a tag in the project under Constraints > Network Constraints. Add a :hard value if it's a strict enforcement. Then you can apply that same tag to the appropriate network(s) in the applicable network profile.




  • 3.  RE: Restrict Network Profile to specific Projects

    Posted 30 days ago

    Thanks, but that wouldn't prevent another project from being able to use that network profile.

    It doesn't look like there is a way of doing it.




  • 4.  RE: Restrict Network Profile to specific Projects

    Posted 29 days ago

    I havent yet had a look to see but I'm curious if you could trigger an approval to catch the use of that network?




  • 5.  RE: Restrict Network Profile to specific Projects

    Posted 29 days ago

    That's a good suggestion, but I'm struggling to find a criteria which can catch this.

    There is not an approval criteria for network profiles, so I've tried using criteria "Resources, has any, tags, has any, Value, equals, <name of tag applied to existing network>" but that doesn't seem to work.  Also tried the same but using the tag applied to a security group defined in the network profile but it also doesn't apply.

    I'll keep experimenting as it feels like I'm close.

    Thanks for your help.




  • 6.  RE: Restrict Network Profile to specific Projects

    Posted 29 days ago
    Edited by kawaman 28 days ago
    In Cloud Assembly, network profiles define the networks that are available for use in deployments, and network constraints determine which network profiles can be used by specific projects or deployments. However, as of my last update, there isn't a built-in feature to restrict a network profile to only be available for a specific project.
     
    To achieve the desired restriction, you might need to implement some additional controls or workflows. Here are some approaches you could consider:
     
    1. **Documentation and Training**: Clearly document the usage of network profiles and network constraints in your organization's deployment process. Provide training to ensure that team members understand the importance of properly configuring network constraints for projects.
     
    2. **Automated Checks**: Implement automated checks or validation scripts as part of your deployment pipeline or CI/CD process. These checks can verify that every project has a network constraint configured and that it points to the appropriate network profile. This helps catch any misconfigurations early in the deployment process.
     
    3. **Policy Enforcement**: Enforce policies or governance rules within your organization to mandate the proper configuration of network constraints for projects. This could involve incorporating network constraint configuration into your organization's governance policies or using policy enforcement tools provided by your cloud provider. Dgcustomerfirst
     
    4. **Custom Integration**: Explore if your cloud provider's APIs or infrastructure-as-code tools allow for custom integrations or extensions to enforce constraints at a deeper level. You might be able to develop custom scripts or integrations that automatically apply network constraints based on project membership or other criteria.
     
    5. **Regular Audits**: Conduct regular audits or reviews of project configurations to ensure compliance with network constraint policies. This can help identify any projects that are not properly configured and take corrective actions as needed.
     
    6. **Feedback Loop**: Establish a feedback loop where team members can report any instances of misconfigured network constraints or unauthorized network profile usage. Use this feedback to continuously improve your deployment processes and controls.
     
    By combining these approaches, you can help mitigate the risk of unauthorized access to network profiles and ensure that only the intended projects have access to specific networks.




  • 7.  RE: Restrict Network Profile to specific Projects

    Posted 29 days ago

    Thanks Sharon, all very helpful suggestions.  We will look to incorporate some of these recommendations into our project / profile creation process.




  • 8.  RE: Restrict Network Profile to specific Projects

    Posted 26 days ago

    Looking into this, I see where an extensibility subscription on event topic "network configure" exposes both the projectId and networkProfileIds. I have been attempting to see if it would fail the build if the 

    projectId != "top secret project id" && networkProfileIds.contains(new network Profile Id)