Thank you for these suggestions. I might be missing something, but these patterns seem to link parts of the infrastructure at different locations/availablility zones through virtual private cloud links. I did not see if/how a Puppet Master is exposed to the public internet there?
Any suggestions for Open Source Puppet as well? Thanks Matthias [email protected] schrieb am Donnerstag, 20. Oktober 2022 um 17:29:59 UTC+2: > Our support for TLS termination is messy and you need to use a reverse > proxy in front of PE, We have a couple of Patterns surrounding multi > region solutions using proxies and compilers which may be helpful > > > https://puppet.com/docs/pe/2021.7/installing_compilers.html#multi-region-load-balancing > AWS Multi-region architectures for Puppet Enterprise > <https://puppet.com/docs/patterns-and-tactics/latest/reference-architectures/aws-reference-architecture-guide.html#in-region-proxies-variation> > PE Multi-region reference architectures (puppet.com) > <https://puppet.com/docs/patterns-and-tactics/latest/reference-architectures/pe-multi-region-reference-architectures.html#in-region-proxies-variation> > > On Wednesday, October 19, 2022 at 5:49:29 PM UTC+1 [email protected] > wrote: > >> Dear Puppet Users, >> >> until now, I have been using Puppet in firewalled environments only, >> where agents were on the same trusted network as the server or connected >> through VPN tunnels. >> >> Now there seem to be some good reaons for switching to a "perimeterless >> security" approach, which would mean to drop the VPN and put the Puppet >> Server on the public internet. In my special case, I could not even do any >> IP-based filtering. >> >> I could not really find any good material or recommendations on this. Is >> this a discouraged/dangerous practice, or is it more common than I was >> assuming? >> >> The basic approach of mutual, certificate-based authentication in Puppet >> seems to perfectly support this scenario, and comes with encryption built >> in. And yes, of course I would _not_ enable certificate autosigning. >> >> Are there other risks to be aware of? Any recommendations on hardening >> the setup? >> >> Maybe I am a bit sceptical because a component like Puppet Server has not >> received the scrutinity as e. g. an Apache or Ngnix webserver regarding >> potential attack surfaces and security issues. The sensitive information a >> compromised Puppet Server might leak cannot be ignored. >> >> Would it make sense to place the Puppet Server behind a major >> webserver/proxy (Apache, Varnish etc.)? Would it be possible to reject all >> connections that do not provide client certificates and use some >> out-of-band process for signing new client certs? >> >> Thank you for all suggestions! >> -mp. >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/c062843c-91f3-46de-bbea-41499fdc121an%40googlegroups.com.
