BAIS Windows Firewall Rules
This document describes how to add/remove/edit Windows Firewall rules for the BAIS servers. All rules are managed through Ansible automation in the Globalscape Repo.
Rules should be adjusted by the project team on a self-service basis.
Prerequisites
- GitHub write access to Globalscape Repo
- Azure DevOps access to BAIS Pipeline
Process
A PR for changes to the BAIS NSG rules should be raised by the person or team requesting the change. The Platform Operations will review the PR and provide approval, followed by executing the pipeline on behalf of the requester. See steps 1 to 8 for details on raising a PR.
Self-Service Steps
- Clone Globalscape Repo to your local machine.
bash git clone https://github.com/hmcts/globalscape-azure-infrastructure
- Create a new branch, typically with a JIRA ticket number.
bash git checkout -b BRANCH-NAME
- Navigate to
newansible/files
where you will see 4 CSV files containing firewall rules. (2 NLE and 2 Prod) - Modify the CSV file for the required environment looking to existing rules for formatting guidance. Note: removing rules from the CSV will remove them from the server.
- Push your new branch
bash git push --set-upstream origin BRANCH-NAME
- Create a Pull Request and review changes compared with master.
- Look out for typical formatting issues such as extra spaces or unusual characters.
Specifically the ‘-’ in port ranges can often need deleted and retyped depending on how CGI have exported the CSV.
CI will run automatically across STG after the PR is raised. Azure DevOps
Review build log and investigate any issues, pushing corrections to the pipeline will auto trigger another CI build.
Raise a BAU ticket with the PlatOps team requesting PR approval and execution.
Platform Operations Steps
- Review PR
- If terraform Plan is successful: In Azure DevOps
- ‘Run Pipeline’
- Branch/tag: Your new branch name
- Commit: Blank
- Stage to Run: BAIS_Servers
- Location: UK South
- Environment: Set as required.
- Advanced Options: Leave as default.
Click Run
Verify windows server accurately reflects CSV file change in from PR. You can access the servers using the guide: Server Access
Merge branch with Master.