1fb7266469
- Introduced Aggregator.sol for Chainlink-compatible oracle functionality, including round-based updates and access control. - Added OracleWithCCIP.sol to extend Aggregator with CCIP cross-chain messaging capabilities. - Created .gitmodules to include OpenZeppelin contracts as a submodule. - Developed a comprehensive deployment guide in NEXT_STEPS_COMPLETE_GUIDE.md for Phase 2 and smart contract deployment. - Implemented Vite configuration for the orchestration portal, supporting both Vue and React frameworks. - Added server-side logic for the Multi-Cloud Orchestration Portal, including API endpoints for environment management and monitoring. - Created scripts for resource import and usage validation across non-US regions. - Added tests for CCIP error handling and integration to ensure robust functionality. - Included various new files and directories for the orchestration portal and deployment scripts.
3.7 KiB
NSG Dual Configuration Analysis
Current Situation
The Nginx proxy has TWO Network Security Groups affecting it:
1. NIC-Level NSG (az-p-wst-proxy-nginx-nsg) ✅ CORRECT
Attached to: Network Interface (az-p-wst-proxy-nginx-nic)
| Priority | Name | Port | Protocol | Status |
|---|---|---|---|---|
| 1000 | AllowHTTP | 80 | TCP | ✅ Correct |
| 1001 | AllowHTTPS | 443 | TCP | ✅ Correct |
| 1002 | AllowSSH | 22 | TCP | ✅ Correct |
| 2000 | AllowOutboundBackend | Any | Any | ✅ Correct |
Status: ✅ This NSG has the correct rules
2. Subnet-Level NSG (az-p-wst-proxy-vm-nsg) ❌ WRONG
Attached to: Subnet (az-p-wst-proxy-vm-subnet)
| Priority | Name | Port | Protocol | Status |
|---|---|---|---|---|
| 1000 | AllowSSH | 22 | TCP | ✅ OK |
| 1001 | AllowP2PTCP | 30303 | TCP | ❌ Not needed on Nginx |
| 1002 | AllowP2PUDP | 30303 | UDP | ❌ Not needed on Nginx |
| 1003 | AllowRPCHTTP | 8545 | TCP | ❌ Not needed on Nginx |
| 1004 | AllowRPCWS | 8546 | TCP | ❌ Not needed on Nginx |
| 1005 | AllowMetrics | 9545 | TCP | ❌ Not needed on Nginx |
Status: ❌ This NSG has rules for Besu nodes, not Nginx proxy
How Azure Evaluates Multiple NSGs
When both subnet-level and NIC-level NSGs are present:
- Both NSGs are evaluated
- Rules are combined (union of both)
- Most permissive rule wins (if one allows, traffic is allowed)
- Deny rules take precedence (if one denies, traffic is denied)
Current Effective Rules
The Azure portal shows "Effective security rules: 0", which may indicate:
- Rules are being evaluated but not displayed
- There's a conflict in rule evaluation
- The effective rules view needs refresh
Analysis
Ports 80 and 443 Status
NIC NSG: ✅ Has ports 80 and 443 Subnet NSG: ❌ Missing ports 80 and 443
Result: Ports 80 and 443 should be accessible because:
- NIC NSG allows them (priority 1000, 1001)
- Subnet NSG doesn't explicitly deny them
- Azure combines rules (union), so NIC NSG rules apply
Unnecessary Rules
The subnet NSG has rules for:
- Port 30303 (P2P): Besu peer-to-peer networking
- Port 8545/8546 (RPC): Besu RPC endpoints
- Port 9545 (Metrics): Besu metrics
These belong on backend Besu VMs, not the Nginx proxy subnet.
Recommendations
Option 1: Remove Subnet NSG from Nginx Subnet (Recommended)
If the Nginx proxy is the only VM in this subnet:
- Detach
az-p-wst-proxy-vm-nsgfrom the subnet - Keep only the NIC-level NSG (
az-p-wst-proxy-nginx-nsg) - This simplifies configuration and removes unnecessary rules
Option 2: Update Subnet NSG Rules
If other VMs share this subnet:
- Add ports 80 and 443 to subnet NSG
- Remove P2P/RPC/Metrics rules (they don't belong on Nginx)
- Keep NIC-level NSG for Nginx-specific rules
Option 3: Keep Both (Current State)
- Current configuration should work (NIC NSG has correct rules)
- Subnet NSG rules are unnecessary but shouldn't block traffic
- Ports 80 and 443 should be accessible via NIC NSG
Verification
To verify ports 80 and 443 are accessible:
# Test HTTP
curl -I http://20.160.58.99
# Test HTTPS
curl -I https://20.160.58.99
# Test via Cloudflare
curl -I https://rpc.d-bis.org
Conclusion
✅ Ports 80 and 443 ARE configured (via NIC NSG) ⚠️ Subnet NSG has unnecessary rules (P2P/RPC/Metrics) ✅ Traffic should work (NIC NSG rules take precedence)
Recommendation: Remove subnet NSG from Nginx subnet or update it to match NIC NSG rules.
Status: ✅ Ports 80/443 Configured via NIC NSG
The NIC-level NSG has the correct rules. The subnet NSG has unnecessary rules but shouldn't block traffic.