Thanks Sharon, all very helpful suggestions. We will look to incorporate some of these recommendations into our project / profile creation process.
Original Message:
Sent: May 22, 2024 02:44 AM
From: Sharon Fontaine
Subject: Restrict Network Profile to specific Projects
In Cloud Assembly, network profiles define the networks that are available for use in deployments, and network constraints determine which network profiles can be used by specific projects or deployments. However, as of my last update, there isn't a built-in feature to restrict a network profile to only be available for a specific project.
To achieve the desired restriction, you might need to implement some additional controls or workflows. Here are some approaches you could consider:
1. **Documentation and Training**: Clearly document the usage of network profiles and network constraints in your organization's deployment process. Provide training to ensure that team members understand the importance of properly configuring network constraints for projects.
2. **Automated Checks**: Implement automated checks or validation scripts as part of your deployment pipeline or CI/CD process. These checks can verify that every project has a network constraint configured and that it points to the appropriate network profile. This helps catch any misconfigurations early in the deployment process.
3. **Policy Enforcement**: Enforce policies or governance rules within your organization to mandate the proper configuration of network constraints for projects. This could involve incorporating network constraint configuration into your organization's governance policies or using policy enforcement tools provided by your cloud provider.
4. **Custom Integration**: Explore if your cloud provider's APIs or infrastructure-as-code tools allow for custom integrations or extensions to enforce constraints at a deeper level. You might be able to develop custom scripts or integrations that automatically apply network constraints based on project membership or other criteria.
5. **Regular Audits**: Conduct regular audits or reviews of project configurations to ensure compliance with network constraint policies. This can help identify any projects that are not properly configured and take corrective actions as needed.
6. **Feedback Loop**: Establish a feedback loop where team members can report any instances of misconfigured network constraints or unauthorized network profile usage. Use this feedback to continuously improve your deployment processes and controls.
By combining these approaches, you can help mitigate the risk of unauthorized access to network profiles and ensure that only the intended projects have access to specific networks.
Original Message:
Sent: May 20, 2024 10:55 AM
From: Deadpööl
Subject: Restrict Network Profile to specific Projects
You can create a tag in the project under Constraints > Network Constraints. Add a :hard value if it's a strict enforcement. Then you can apply that same tag to the appropriate network(s) in the applicable network profile.
Original Message:
Sent: Apr 17, 2024 11:45 AM
From: TC100
Subject: Restrict Network Profile to specific Projects
Hi,
Does anyone know if I can restrict a Cloud Assembly network profile so that it can only be used by a specific project?
We have a network profile containing networks that we only want to be available to a specific project. I know I can use network constraints on that project to tell it to use that profile, but we want to prevent any other projects from being able to use that profile.
Other than setting an opposing network constraint tag on every other project, I can't see a way of doing this. The risk here is that someone will create a project and forget to put a network constraint tag on and therefore allowing them to access the one we don't want them to.
Any suggestions would be welcome.
Tom