d-bis/smom-dbis-138
4
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
6817f53591c41cc9ee0fbf404fda7ebfe2a5bcb9
smom-dbis-138/terraform/phases/phase1/ARCHITECTURE_UPDATE.md
defiQUG 1fb7266469 Add Oracle Aggregator and CCIP Integration 
- Introduced Aggregator.sol for Chainlink-compatible oracle functionality, including round-based updates and access control.
- Added OracleWithCCIP.sol to extend Aggregator with CCIP cross-chain messaging capabilities.
- Created .gitmodules to include OpenZeppelin contracts as a submodule.
- Developed a comprehensive deployment guide in NEXT_STEPS_COMPLETE_GUIDE.md for Phase 2 and smart contract deployment.
- Implemented Vite configuration for the orchestration portal, supporting both Vue and React frameworks.
- Added server-side logic for the Multi-Cloud Orchestration Portal, including API endpoints for environment management and monitoring.
- Created scripts for resource import and usage validation across non-US regions.
- Added tests for CCIP error handling and integration to ensure robust functionality.
- Included various new files and directories for the orchestration portal and deployment scripts.
2025-12-12 14:57:48 -08:00

88 lines
3.4 KiB
Markdown
Raw Blame History

# Phase 1 Architecture Update: Cloudflare Tunnel + Private IPs
## Updated Architecture
### Network Configuration
- **Backend VMs (5 US regions)**: Private IPs only (no public IPs)
- **Nginx Proxy (West Europe)**: Public IP (for Cloudflare Tunnel connection)
- **Cloudflare Tunnel**: Connects to Nginx proxy public IP, handles DNS and SSL termination
### Security Benefits
1. **Reduced Attack Surface**: Backend VMs have no public IPs, not directly accessible from internet
2. **Cloudflare Protection**: DDoS protection, WAF, and SSL/TLS handled by Cloudflare
3. **No Inbound Ports**: Cloudflare Tunnel uses outbound connection only
4. **Private Network**: Backend VMs communicate via private IPs (once VPN is deployed)
## Changes Made
### 1. VM Module Updates
- Removed public IP creation for "besu-node" type
- Only "sentry" and "rpc" node types get public IPs (if needed in future)
- Backend VMs now use private IPs only
### 2. Nginx Proxy Updates
- Updated to use private IPs for backend connectivity
- Added Cloudflare Tunnel installation and configuration
- Created systemd service for Cloudflare Tunnel
- Added setup instructions in cloud-init script
### 3. NSG Rules
- Updated comments to reflect VPN/ExpressRoute requirement
- Noted that RPC rules should be restricted to Nginx proxy subnet once VPN is deployed
## Cross-Region Connectivity Requirement
**Important**: Backend VMs are in US regions while Nginx proxy is in West Europe. Since backend VMs use private IPs only, cross-region connectivity requires:
### Option 1: Azure VPN/ExpressRoute (Recommended)
- Deploy VPN Gateway or ExpressRoute
- Connect all regions via VPN
- Nginx proxy can reach backend VMs via private IPs
- Most secure option for production
### Option 2: Cloudflare Tunnel on Each Backend VM
- Install Cloudflare Tunnel agent on each backend VM
- Each VM exposes RPC endpoints via Cloudflare Tunnel
- Nginx proxy connects to Cloudflare Tunnel endpoints
- Simpler setup, but requires Cloudflare Tunnel on each VM
### Option 3: Temporary Public IPs (Testing Only)
- For initial testing, temporarily enable public IPs
- Restrict NSG rules to Nginx proxy IP only
- Not recommended for production
## Cloudflare Tunnel Setup
See `CLOUDFLARE_TUNNEL_SETUP.md` for detailed setup instructions.
Quick steps:
1. SSH to Nginx proxy VM
2. Run `cloudflared tunnel login`
3. Run `cloudflared tunnel create <tunnel-name>`
4. Configure `/etc/cloudflared/config.yml`
5. Enable and start `cloudflared` service
6. Configure DNS in Cloudflare Dashboard
## Next Steps
1. **Deploy Phase 1 infrastructure** (with current configuration)
2. **Set up Cloudflare Tunnel** on Nginx proxy
3. **Deploy VPN/ExpressRoute** for backend connectivity OR
4. **Install Cloudflare Tunnel** on each backend VM
5. **Test end-to-end connectivity**
6. **Restrict NSG rules** to specific IP ranges once connectivity is established
## Files Modified
- `terraform/modules/vm-deployment/main.tf`: Removed public IPs for "besu-node" type
- `terraform/modules/vm-deployment/outputs.tf`: Updated outputs
- `terraform/modules/nginx-proxy/nginx-cloud-init.yaml`: Added Cloudflare Tunnel setup
- `terraform/phases/phase1/phase1-main.tf`: Updated backend_vms to use private IPs only
- `terraform/modules/networking-vm/main.tf`: Updated NSG rule comments
## Documentation Created
- `CLOUDFLARE_TUNNEL_SETUP.md`: Detailed Cloudflare Tunnel setup guide
- `ARCHITECTURE_UPDATE.md`: This file
Reference in New Issue View Git Blame Copy Permalink