Add option for forced tunneling through TRE's Firewall

.github/workflows/build_validation_develop.yml

@@ -1,11 +1,11 @@
 ---
 name: Build Validation
 
-on:  # yamllint disable-line rule:truthy
+on: # yamllint disable-line rule:truthy
   pull_request:
     branches:
       - main
-      - 'feature/**'
+      - "feature/**"
 
 # for each ref (branch/pr) run just the most recent,
 # cancel other pending/running ones
@@ -57,6 +57,11 @@ jobs:
         with:
           terraform_version: "1.9.8"
 
+      - uses: hashicorp/setup-terraform@v3
+        if: ${{ steps.filter.outputs.terraform == 'true' }}
+        with:
+          terraform_version: "1.9.8"
+
       - name: Terraform format check
         if: ${{ steps.filter.outputs.terraform == 'true' }}
         run: terraform fmt -check -recursive
@@ -112,7 +117,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           VALIDATE_TERRAFORM_TFLINT: true
           TERRAFORM_TFLINT_CONFIG_FILE: .tflint_core.hcl
-          FILTER_REGEX_INCLUDE: './core/.*'
+          FILTER_REGEX_INCLUDE: "./core/.*"
 
       - name: Workspace Tags
         if: ${{ steps.filter.outputs.terraform_workspaces == 'true' }}
@@ -123,7 +128,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           VALIDATE_TERRAFORM_TFLINT: true
           TERRAFORM_TFLINT_CONFIG_FILE: .tflint_workspaces.hcl
-          FILTER_REGEX_INCLUDE: './templates/workspaces/.*'
+          FILTER_REGEX_INCLUDE: "./templates/workspaces/.*"
 
       - name: Workspace Services Tags
         if: ${{ steps.filter.outputs.terraform_workspace_services == 'true' }}
@@ -134,8 +139,8 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           VALIDATE_TERRAFORM_TFLINT: true
           TERRAFORM_TFLINT_CONFIG_FILE: .tflint_workspace_services.hcl
-          FILTER_REGEX_INCLUDE: './templates/workspaces/.*'
-          FILTER_REGEX_EXCLUDE: '.*user_resource.*'
+          FILTER_REGEX_INCLUDE: "./templates/workspaces/.*"
+          FILTER_REGEX_EXCLUDE: ".*user_resource.*"
 
       - name: User Resources Tags
         if: ${{ steps.filter.outputs.terraform_workspace_services == 'true' }}
@@ -146,7 +151,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           VALIDATE_TERRAFORM_TFLINT: true
           TERRAFORM_TFLINT_CONFIG_FILE: .tflint_user_resources.hcl
-          FILTER_REGEX_INCLUDE: './templates/workspace_services/.*/user_resources/.*'
+          FILTER_REGEX_INCLUDE: "./templates/workspace_services/.*/user_resources/.*"
 
       - name: Shared Services Tags
         if: ${{ steps.filter.outputs.terraform_shared_services == 'true' }}
@@ -157,4 +162,4 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           VALIDATE_TERRAFORM_TFLINT: true
           TERRAFORM_TFLINT_CONFIG_FILE: .tflint_shared_services.hcl
-          FILTER_REGEX_INCLUDE: './templates/shared_services/.*'
+          FILTER_REGEX_INCLUDE: "./templates/shared_services/.*"

.github/workflows/codeql-analysis.yml

@@ -12,13 +12,13 @@
 #
 name: "CodeQL"
 
-on:  # yamllint disable-line rule:truthy
+on: # yamllint disable-line rule:truthy
   push:
     branches: [main]
   pull_request:
     branches: [main]
   schedule:
-    - cron: '41 3 * * 5'
+    - cron: "41 3 * * 5"
 
 # for each ref (branch/pr) run just the most recent,
 # cancel other pending/running ones
@@ -38,7 +38,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ['python', 'java', 'javascript', 'typescript']
+        language: ["python", "java", "javascript", "typescript"]
 
     steps:
       - name: Checkout repository

CHANGELOG.md

@@ -49,6 +49,7 @@ BUG FIXES:
 * Fix VM actions where Workspace shared storage doesn't allow shared key access ([#4222](https://github.com/microsoft/AzureTRE/issues/4222))
 * Fix public exposure in Guacamole service ([[#4199](https://github.com/microsoft/AzureTRE/issues/4199)])
 * Fix Azure ML network tags to use name rather than ID ([[#4151](https://github.com/microsoft/AzureTRE/issues/4151)])
+* Add option to force tunnel TRE's Firewall ([#4237](https://github.com/microsoft/AzureTRE/issues/4237))
 
 COMPONENTS:
 

Makefile

@@ -309,8 +309,10 @@ deploy-shared-service:
 	&& ${MAKEFILE_DIR}/devops/scripts/deploy_shared_service.sh $${PROPS}
 
 firewall-install:
-	$(MAKE) bundle-build bundle-publish bundle-register deploy-shared-service \
-	DIR=${MAKEFILE_DIR}/templates/shared_services/firewall/ BUNDLE_TYPE=shared_service
+	. ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh env \
+	&& $(MAKE) bundle-build bundle-publish bundle-register deploy-shared-service \
+	DIR=${MAKEFILE_DIR}/templates/shared_services/firewall/ BUNDLE_TYPE=shared_service \
+	PROPS="$${FIREWALL_SKU+--firewall_sku $${FIREWALL_SKU} }$${FIREWALL_FORCE_TUNNEL_IP+--firewall_force_tunnel_ip $${FIREWALL_FORCE_TUNNEL_IP} }"
 
 static-web-upload:
 	$(call target_title, "Uploading to static website") \

config.sample.yaml

@@ -10,7 +10,7 @@ management:
   acr_name: __CHANGE_ME__
   # ID of external Key Vault to store CMKs in (only required if enable_cmk_encryption is true)
   # external_key_store_id: __CHANGE_ME__
-  # Name of Key Vault for encryption keys, required only if enable_cmk_encryption is true and not using external_key_store_id
+  # Name of Key Vault for encryption, required if enable_cmk_encryption is true and external_key_store_id is not set
   # encryption_kv_name: __CHANGE_ME__
   # Azure Resource Manager credentials used for CI/CD pipelines
   arm_subscription_id: __CHANGE_ME__
@@ -46,6 +46,7 @@ tre:
   # The TRE Web UI is deployed by default.
   # Uncomment the following to disable deployment of the Web UI.
   # deploy_ui: false
+  # firewall_force_tunnel_ip: __CHANGE_ME__
   firewall_sku: Standard
   app_gateway_sku: Standard_v2
 

docs/tre-admins/configure-firewall-force-tunneling.md

@@ -0,0 +1,21 @@
+# Forced Tunneling to External Firewall in TRE
+
+Azure TRE deploys and manages an Azure firewall to ensure creation of workspace level rules can be automated when TRE workspaces and other services are created without manual intervention.
+It is highly recommended leaving the Azure TRE firewall in place. If there is still the requirement to send all traffic through a centralized enterprise firewall, such as that deployed as part of an Azure landing zone, then forced tunnelling should be used. The centralized firewall will need a superset of rules used by the TRE.
+
+To setup forced tunneling to an external firewall, follow these steps:
+
+## 1. Set the firewall_force_tunnel_ip parameter in the config.yaml file
+Provide the external firewall's IP address:
+
+```json
+firewall_force_tunnel_ip: 192.168.0.4
+```
+This automatically creates a route table to direct TRE’s traffic to the specified IP.
+
+## 2. Manually Connect TRE to Your Firewall
+Configure connectivity between TRE’s VNet and your external firewall using one of the following methods:
+
+1. **VNet Peering**: Peer the TRE VNet with your firewall’s VNet.
+1. **ExpressRoute**: Use a private connection for firewalls located on-premises.
+1. **Site-to-Site VPN**: Establish a VPN connection as an alternative.

mkdocs.yml

@@ -140,6 +140,7 @@ nav:
           - Supported Clouds: tre-admins/supported-clouds.md
           - Customer Managed Keys: tre-admins/customer-managed-keys.md
           - Custom Domain Name: tre-admins/custom-domain.md
+          - Firewall Force Tunneling: tre-admins/configure-firewall-force-tunneling.md
 
       - Development: # Docs related to the developing code for the AzureTRE
           - Local Development: using-tre/local-development/local-development.md

templates/shared_services/firewall/parameters.json

@@ -63,6 +63,12 @@
       "source": {
         "env": "ARM_ENVIRONMENT"
       }
+    },
+    {
+      "name": "firewall_force_tunnel_ip",
+      "source": {
+        "env": "FIREWALL_FORCE_TUNNEL_IP"
+      }
     }
   ]
 }

templates/shared_services/firewall/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-firewall
-version: 1.2.8
+version: 1.3.0
 description: "An Azure TRE Firewall shared service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre
@@ -54,6 +54,9 @@ parameters:
     default: "graph.microsoft.com"
   - name: arm_environment
     type: string
+  - name: firewall_force_tunnel_ip
+    type: string
+    default: ""
 
 mixins:
   - terraform:
@@ -69,6 +72,7 @@ install:
         api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections }
         firewall_sku: ${ bundle.parameters.firewall_sku }
         microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn }
+        firewall_force_tunnel_ip: ${ bundle.parameters.firewall_force_tunnel_ip }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -87,6 +91,7 @@ upgrade:
         api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections }
         firewall_sku: ${ bundle.parameters.firewall_sku }
         microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn }
+        firewall_force_tunnel_ip: ${ bundle.parameters.firewall_force_tunnel_ip }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"
@@ -105,6 +110,7 @@ uninstall:
         api_driven_network_rule_collections_b64: ${ bundle.parameters.network_rule_collections }
         firewall_sku: ${ bundle.parameters.firewall_sku }
         microsoft_graph_fqdn: ${ bundle.parameters.microsoft_graph_fqdn }
+        firewall_force_tunnel_ip: ${ bundle.parameters.firewall_force_tunnel_ip }
       backendConfig:
         use_azuread_auth: "true"
         use_oidc: "true"