1fb7266469
- Introduced Aggregator.sol for Chainlink-compatible oracle functionality, including round-based updates and access control. - Added OracleWithCCIP.sol to extend Aggregator with CCIP cross-chain messaging capabilities. - Created .gitmodules to include OpenZeppelin contracts as a submodule. - Developed a comprehensive deployment guide in NEXT_STEPS_COMPLETE_GUIDE.md for Phase 2 and smart contract deployment. - Implemented Vite configuration for the orchestration portal, supporting both Vue and React frameworks. - Added server-side logic for the Multi-Cloud Orchestration Portal, including API endpoints for environment management and monitoring. - Created scripts for resource import and usage validation across non-US regions. - Added tests for CCIP error handling and integration to ensure robust functionality. - Included various new files and directories for the orchestration portal and deployment scripts.
4.0 KiB
4.0 KiB
NSG Rules Fix Required
Issue Identified
The deployed NSG rules for the Nginx proxy do not match the Terraform configuration and are missing critical ports.
Current Deployed NSG Rules (Incorrect)
| Priority | Name | Port | Protocol | Status |
|---|---|---|---|---|
| 1000 | AllowSSH | 22 | TCP | ✅ Correct |
| 1001 | AllowP2PTCP | 30303 | TCP | ❌ Not needed on Nginx |
| 1002 | AllowP2PUDP | 30303 | UDP | ❌ Not needed on Nginx |
| 1003 | AllowRPCHTTP | 8545 | TCP | ❌ Not needed on Nginx |
| 1004 | AllowRPCWS | 8546 | TCP | ❌ Not needed on Nginx |
| 1005 | AllowMetrics | 9545 | TCP | ❌ Not needed on Nginx |
Missing Critical Rules
| Priority | Name | Port | Protocol | Status |
|---|---|---|---|---|
| ❌ | AllowHTTP | 80 | TCP | MISSING - REQUIRED |
| ❌ | AllowHTTPS | 443 | TCP | MISSING - RECOMMENDED |
Terraform Configuration (Correct)
The Terraform configuration in terraform/modules/nginx-proxy/main.tf already has the correct rules:
| Priority | Name | Port | Protocol | Status |
|---|---|---|---|---|
| 1000 | AllowHTTP | 80 | TCP | ✅ Configured |
| 1001 | AllowHTTPS | 443 | TCP | ✅ Configured |
| 1002 | AllowSSH | 22 | TCP | ✅ Configured |
Why Ports 80 and 443 Are Required
Port 80 (HTTP) - REQUIRED
- Purpose: Nginx listens on port 80 for HTTP traffic
- Usage:
- Cloudflare Tunnel connects to Nginx via
localhost:80 - Direct HTTP access (for testing/admin)
- Health checks
- Cloudflare Tunnel connects to Nginx via
- Status: ❌ MISSING - This will break Nginx functionality
Port 443 (HTTPS) - RECOMMENDED
- Purpose: Direct HTTPS access (if not using Cloudflare Tunnel exclusively)
- Usage:
- Direct HTTPS connections (bypassing Cloudflare)
- SSL/TLS termination at Nginx (if configured)
- Testing and administration
- Status: ❌ MISSING - Limits access options
Why P2P/RPC/Metrics Rules Are Not Needed
The current deployed NSG has rules for:
- Port 30303 (P2P): This is for Besu peer-to-peer networking, not needed on Nginx proxy
- Port 8545/8546 (RPC): These are Besu RPC ports, not needed on Nginx proxy
- Port 9545 (Metrics): This is Besu metrics, not needed on Nginx proxy
These rules belong on the backend Besu VMs, not the Nginx proxy.
Fix Required
Option 1: Apply Terraform Configuration (Recommended)
cd terraform/phases/phase1
terraform apply
This will:
- ✅ Add port 80 (HTTP) - Priority 1000
- ✅ Add port 443 (HTTPS) - Priority 1001
- ✅ Keep port 22 (SSH) - Priority 1002
- ⚠️ May remove P2P/RPC/Metrics rules (if not in Terraform config)
Option 2: Manual NSG Rule Update
Add the missing rules manually via Azure Portal or CLI:
# Add HTTP rule
az network nsg rule create \
--resource-group az-p-wst-rg-comp-001 \
--nsg-name <nsg-name> \
--name AllowHTTP \
--priority 1001 \
--direction Inbound \
--access Allow \
--protocol Tcp \
--destination-port-ranges 80
# Add HTTPS rule
az network nsg rule create \
--resource-group az-p-wst-rg-comp-001 \
--nsg-name <nsg-name> \
--name AllowHTTPS \
--priority 1002 \
--direction Inbound \
--access Allow \
--protocol Tcp \
--destination-port-ranges 443
Impact
Without Port 80
- ❌ Nginx cannot receive HTTP traffic
- ❌ Cloudflare Tunnel cannot connect to Nginx
- ❌ RPC endpoint will not work
- ❌ Health checks will fail
Without Port 443
- ⚠️ No direct HTTPS access
- ⚠️ Limited access options
- ⚠️ Cannot bypass Cloudflare for testing
Recommendation
✅ YES, you absolutely need ports 80 and 443!
- Port 80 is REQUIRED - Nginx must listen on port 80
- Port 443 is RECOMMENDED - For direct HTTPS access
- Remove unnecessary rules - P2P/RPC/Metrics belong on backend VMs
Action: Run terraform apply to sync the NSG with the correct configuration.
Status: ❌ CRITICAL - Ports 80 and 443 Missing
The Nginx proxy NSG is missing critical ports 80 and 443, which will prevent Nginx from functioning correctly.