d-bis/smom-dbis-138
4
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
6817f53591c41cc9ee0fbf404fda7ebfe2a5bcb9
smom-dbis-138/terraform/phases/phase1/ARCHITECTURE_UPDATE.md
defiQUG 1fb7266469 Add Oracle Aggregator and CCIP Integration 
- Introduced Aggregator.sol for Chainlink-compatible oracle functionality, including round-based updates and access control.
- Added OracleWithCCIP.sol to extend Aggregator with CCIP cross-chain messaging capabilities.
- Created .gitmodules to include OpenZeppelin contracts as a submodule.
- Developed a comprehensive deployment guide in NEXT_STEPS_COMPLETE_GUIDE.md for Phase 2 and smart contract deployment.
- Implemented Vite configuration for the orchestration portal, supporting both Vue and React frameworks.
- Added server-side logic for the Multi-Cloud Orchestration Portal, including API endpoints for environment management and monitoring.
- Created scripts for resource import and usage validation across non-US regions.
- Added tests for CCIP error handling and integration to ensure robust functionality.
- Included various new files and directories for the orchestration portal and deployment scripts.
2025-12-12 14:57:48 -08:00

3.4 KiB
Raw Blame History

Phase 1 Architecture Update: Cloudflare Tunnel + Private IPs

Updated Architecture

Network Configuration

  • Backend VMs (5 US regions): Private IPs only (no public IPs)
  • Nginx Proxy (West Europe): Public IP (for Cloudflare Tunnel connection)
  • Cloudflare Tunnel: Connects to Nginx proxy public IP, handles DNS and SSL termination

Security Benefits

  1. Reduced Attack Surface: Backend VMs have no public IPs, not directly accessible from internet
  2. Cloudflare Protection: DDoS protection, WAF, and SSL/TLS handled by Cloudflare
  3. No Inbound Ports: Cloudflare Tunnel uses outbound connection only
  4. Private Network: Backend VMs communicate via private IPs (once VPN is deployed)

Changes Made

1. VM Module Updates

  • Removed public IP creation for "besu-node" type
  • Only "sentry" and "rpc" node types get public IPs (if needed in future)
  • Backend VMs now use private IPs only

2. Nginx Proxy Updates

  • Updated to use private IPs for backend connectivity
  • Added Cloudflare Tunnel installation and configuration
  • Created systemd service for Cloudflare Tunnel
  • Added setup instructions in cloud-init script

3. NSG Rules

  • Updated comments to reflect VPN/ExpressRoute requirement
  • Noted that RPC rules should be restricted to Nginx proxy subnet once VPN is deployed

Cross-Region Connectivity Requirement

Important: Backend VMs are in US regions while Nginx proxy is in West Europe. Since backend VMs use private IPs only, cross-region connectivity requires:

Option 1: Azure VPN/ExpressRoute (Recommended)

  • Deploy VPN Gateway or ExpressRoute
  • Connect all regions via VPN
  • Nginx proxy can reach backend VMs via private IPs
  • Most secure option for production

Option 2: Cloudflare Tunnel on Each Backend VM

  • Install Cloudflare Tunnel agent on each backend VM
  • Each VM exposes RPC endpoints via Cloudflare Tunnel
  • Nginx proxy connects to Cloudflare Tunnel endpoints
  • Simpler setup, but requires Cloudflare Tunnel on each VM

Option 3: Temporary Public IPs (Testing Only)

  • For initial testing, temporarily enable public IPs
  • Restrict NSG rules to Nginx proxy IP only
  • Not recommended for production

Cloudflare Tunnel Setup

See CLOUDFLARE_TUNNEL_SETUP.md for detailed setup instructions.

Quick steps:

  1. SSH to Nginx proxy VM
  2. Run cloudflared tunnel login
  3. Run cloudflared tunnel create <tunnel-name>
  4. Configure /etc/cloudflared/config.yml
  5. Enable and start cloudflared service
  6. Configure DNS in Cloudflare Dashboard

Next Steps

  1. Deploy Phase 1 infrastructure (with current configuration)
  2. Set up Cloudflare Tunnel on Nginx proxy
  3. Deploy VPN/ExpressRoute for backend connectivity OR
  4. Install Cloudflare Tunnel on each backend VM
  5. Test end-to-end connectivity
  6. Restrict NSG rules to specific IP ranges once connectivity is established

Files Modified

  • terraform/modules/vm-deployment/main.tf: Removed public IPs for "besu-node" type
  • terraform/modules/vm-deployment/outputs.tf: Updated outputs
  • terraform/modules/nginx-proxy/nginx-cloud-init.yaml: Added Cloudflare Tunnel setup
  • terraform/phases/phase1/phase1-main.tf: Updated backend_vms to use private IPs only
  • terraform/modules/networking-vm/main.tf: Updated NSG rule comments

Documentation Created

  • CLOUDFLARE_TUNNEL_SETUP.md: Detailed Cloudflare Tunnel setup guide
  • ARCHITECTURE_UPDATE.md: This file
Reference in New Issue View Git Blame Copy Permalink