๐ Zero-Trustยถ
This document outlines the implementation of Zero-Trust security principles using Cloudflare's Zero Trust platform. The goal is to enhance the security posture of our organization by ensuring that all devices and users are authenticated and authorized before accessing resources, regardless of their location.
๐ก๏ธ Zero-Trust Applicationsยถ
We have configured Zero-Trust applications to enforce strict access controls. Each application is protected by policies that require EntraID group membership for access. This ensures that only authorized users can access sensitive applications.
๐ Application Access Portalยถ
All Zero-Trust applications are accessible via the Cloudflare Access portal:
Portal URL: https://unibeam-trust.cloudflareaccess.com/
Single Sign-On
All applications use EntraID (Azure AD) for authentication. You'll be prompted to authenticate with your organizational credentials on first access.
๐ Dashboard Applicationsยถ
๐ญ Production Environmentsยถ
Dashboard-IL (Pelephone)ยถ
- Domain:
dashboard.il.unibeam.com - Environment: Production - Israel
- Session Duration: 12 hours
- Access Groups:
- Unibeam-NAT-Whitelist (IP-based)
- Zero-Trust_Devops
- Zero-Trust-Dashboard
- Zero-Trust-IL
- Logo: Israel Emblem
- Tags: Dashboard, IL, Pelephone, Prod
Dashboard-ATnTยถ
- Domain:
dashboard.us.unibeam.com - Environment: Production - US (AT&T)
- Session Duration: 12 hours
- Access Groups:
- Unibeam-NAT-Whitelist (IP-based)
- Zero-Trust_Devops
- Zero-Trust-ATnT
- Logo: AT&T Logo
- Tags: Dashboard, ATnT, Prod
Dashboard-UB-Global-USยถ
- Domain:
dashboard.us2.unibeam.com - Environment: Production - US Global
- Session Duration: 12 hours
- Access Groups:
- Unibeam-NAT-Whitelist (IP-based)
- Zero-Trust_Devops
- Zero-Trust-US
- Logo: Globe Icon
- Tags: Dashboard, US, Prod, UB-Global-US
๐งช Non-Production Environmentsยถ
Dashboard-Demoยถ
- Domain:
dashboard.demo.unibeam.com - Environment: Demo
- Session Duration: 12 hours
- Access Groups:
- Unibeam-NAT-Whitelist (IP-based)
- Zero-Trust_Devops
- Zero-Trust-QA
- Zero-Trust-RnD
- Tags: Dashboard, Demo
๐ Monitoring Applications (Grafana)ยถ
๐ญ Production Environmentsยถ
Grafana-IL (Pelephone)ยถ
- Domain:
grafana.il.unibeam.com - Environment: Production - Israel
- Session Duration: 12 hours
- Access Groups:
- Zero-Trust_Devops
- Zero-Trust-RnD
- Zero-Trust-IL
- Logo: Grafana Logo
- Tags: Prod, Grafana, IL, Pelephone
Grafana-ATnTยถ
- Domain:
grafana.us.unibeam.com - Environment: Production - US (AT&T)
- Session Duration: 12 hours
- Access Groups:
- Zero-Trust_Devops
- Zero-Trust-RnD
- Zero-Trust-ATnT
- Tags: Prod, ATnT, Grafana
Grafana-US (UB-Global-US)ยถ
- Domain:
grafana.us2.unibeam.com - Environment: Production - US Global
- Session Duration: 12 hours
- Access Groups:
- Zero-Trust_Devops
- Zero-Trust-RnD
- Zero-Trust-ATnT
- Tags: Prod, US, Grafana, UB-Global-US
๐ฌ POC Environmentยถ
Grafana-ATnT-POCยถ
- Domain:
grafana.poc.atnt.unibeam.com - Environment: POC - AT&T
- Session Duration: 12 hours
- Access Groups:
- Zero-Trust_Devops
- Zero-Trust-RnD
- Zero-Trust-ATnT
- Tags: POC, ATnT, Grafana
๐งช Non-Production Environmentsยถ
Grafana-Demoยถ
- Domain:
grafana.demo.unibeam.com - Environment: Demo
- Session Duration: 12 hours
- Access Groups:
- Zero-Trust_Devops
- Zero-Trust-RnD
- Zero-Trust-QA
- Zero-Trust-Demo
- Tags: Grafana, Demo
Grafana-Devยถ
- Domain:
grafana.dev.unibeam.com - Environment: Development/POC
- Session Duration: 12 hours
- Access Groups:
- Zero-Trust_Devops
- Zero-Trust-RnD
- Zero-Trust-QA
- Zero-Trust-POC
- Tags: Grafana, DEV, POC
๐ GitOps Applications (ArgoCD)ยถ
๐ญ Production Environmentsยถ
ArgoCD-IL (Pelephone)ยถ
- Domain:
argocd.il.unibeam.com - Environment: Production - Israel
- Session Duration: 12 hours
- Access Groups:
- Zero-Trust_Devops
- Zero-Trust-RnD
- Logo: ArgoCD Logo
- Tags: ArgoCD, Pelephone, IL
ArgoCD-ATnTยถ
- Domain:
argocd.us.unibeam.com - Environment: Production - US (AT&T)
- Session Duration: 12 hours
- Access Groups:
- Zero-Trust_Devops
- Zero-Trust-RnD
- Tags: ArgoCD, ATnT
ArgoCD-UB-Global-USยถ
- Domain:
argocd.us2.unibeam.com - Environment: Production - US Global
- Session Duration: 12 hours
- Access Groups:
- Zero-Trust_Devops
- Zero-Trust-RnD
- Tags: ArgoCD, US, UB-Global-US
๐งช Non-Production Environmentsยถ
ArgoCD-Demoยถ
- Domain:
argocd.demo.unibeam.com - Environment: Demo
- Session Duration: 12 hours
- Access Groups:
- Zero-Trust_Devops
- Zero-Trust-RnD
- Tags: ArgoCD, Demo
ArgoCD-Devยถ
- Domain:
argocd.dev.unibeam.com - Environment: Development/POC
- Session Duration: 12 hours
- Access Groups:
- Zero-Trust_Devops
- Zero-Trust-RnD
- Tags: ArgoCD, DEV, POC
๐ก Kafka Management (Kafka UI)ยถ
๐งช Non-Production Environmentsยถ
Kafka-UI-Demoยถ
- Domain:
kafka-ui.demo.unibeam.com - Environment: Demo
- Session Duration: 12 hours
- Access Groups:
- Zero-Trust_Devops
- Logo: Apache Kafka Logo
- Tags: Demo, Kafka-UI
Kafka-UI-Devยถ
- Domain:
kafka-ui.dev.unibeam.com - Environment: Development/POC
- Session Duration: 12 hours
- Access Groups:
- Zero-Trust_Devops
- Tags: DEV, POC, Kafka-UI
Production Kafka UI
Production Kafka UI instances (IL, US, ATnT) are currently disabled in the configuration. They can be enabled by uncommenting the respective blocks in global-variables.tfvars.
โธ๏ธ AWS EKS Cluster Management (Lens)ยถ
Connectivity is done via cloudflared tunnel deployed on each EKS cluster. Access is restricted to the DevOps and RnD teams via EntraID groups. Connection is only available via WARP-enabled devices.
Connectors have routing set up for the following clusters:
- IL Production EKS Cluster
- ATnT Production EKS Cluster
- UB-Global-US Production EKS Cluster
- Dev EKS Cluster
- Demo EKS Cluster
๐ Documentation Portalยถ
Docs-Unibeamยถ
- Domain:
docs.unibeam.com - Environment: Global Documentation
- Session Duration: 24 hours
- Access Groups:
- Zero-Trust_Devops
- Zero-Trust-RnD
- Zero-Trust-Support
- Zero-Trust-Docs
- Logo: MkDocs Logo
- Tags: docs
Extended Session
Documentation portal has extended 24-hour sessions to improve user experience during extended reading sessions.
๐ Access Policy Overviewยถ
๐ Policy Precedenceยถ
Policies are evaluated in order of precedence (lower number = higher priority):
- Unibeam-NAT-Whitelist (Precedence 1): IP-based bypass for NAT gateways
- Zero-Trust_Devops (Precedence 1-2): DevOps team access
- Environment-Specific Groups (Precedence 2-4): IL, ATnT, US, QA, RnD, Support, etc.
- BlockPolicy (Final): Explicit deny for all others
๐ฅ EntraID Groupsยถ
The following EntraID groups are used for access control:
| Group Name | Purpose | Typical Members |
|---|---|---|
Zero-Trust_Devops |
DevOps engineers | Platform team |
Zero-Trust-RnD |
Research & Development | Engineering team |
Zero-Trust-IL |
Israel operations | IL production team |
Zero-Trust-ATnT |
AT&T operations | US production team |
Zero-Trust-US |
US Global operations | US global team |
Zero-Trust-QA |
Quality Assurance | Testing team |
Zero-Trust-Demo |
Demo environment | Demo users |
Zero-Trust-POC |
POC environments | POC users |
Zero-Trust-Support |
Support team | Support engineers |
Zero-Trust-Docs |
Documentation access | Documentation users |
Zero-Trust-Dashboard |
Dashboard-specific | Dashboard users |
Unibeam-NAT-Whitelist |
IP whitelist bypass | NAT gateway IPs |
๐ ๏ธ WARP-Client User/Device Profilesยถ
Currently there are 2 main profiles for user devices per group membership: - DevOps Devices: Full access to all Zero-Trust applications, with device posture checks enabled. - RnD Devices: Access to development demo and prod
โ๏ธ Standard Configurationยถ
All applications include:
- โ Skip Interstitial: Users go directly to applications after authentication
- โ App Launcher Visible: Applications appear in the Cloudflare Access portal
- โ EntraID SSO: Azure AD integration for authentication
- โ Session Management: 12-24 hour sessions with automatic renewal
๐ Security Featuresยถ
- ๐ Multi-Factor Authentication: Enforced via EntraID policies
- ๐ IP Whitelisting: NAT gateway bypass for production access
- ๐ Policy Precedence: Layered security with explicit deny-all fallback
- ๐ Session Expiry: Automatic session termination after configured duration
๐ Adding New Applicationsยถ
To add a new Zero-Trust application:
- Create Application JSON File in
iac/managed-services/components/zero-trust-applications/applications/:{ "name": "My New App", "domain": "myapp.environment.unibeam.com", "logo_url": "https://example.com/logo.svg", "session_duration": "12h", "skip_interstitial": true, "app_launcher_visible": true, "policies": [ { "name": "Zero-Trust_Devops", "precedence": 1 }, { "name": "BlockPolicy", "precedence": 2 } ], "tags": ["MyApp", "Environment"] }
File Naming Convention: <app-name>.json (e.g., myapp-demo.json)
-
Application is Auto-Discovered: The Terraform configuration automatically loads all JSON files from the
applications/directory -
Commit Changes to
zero-trustbranch iniacrepository -
GitHub Actions will automatically:
- Run
terraform plan - Apply changes after review
- Create Cloudflare Access application
-
Configure DNS CNAME record
-
Verify Access at
https://unibeam-trust.cloudflareaccess.com/
DNS Propagation
Allow 1-5 minutes for DNS changes to propagate after Terraform applies.
๐ Application Directory Structureยถ
iac/managed-services/components/zero-trust-applications/
โโโ applications/ # Application definitions (JSON)
โ โโโ argocd-demo.json
โ โโโ argocd-dev.json
โ โโโ argocd-il.json
โ โโโ dashboard-atnt.json
โ โโโ dashboard-demo.json
โ โโโ grafana-demo.json
โ โโโ grafana-dev.json
โ โโโ kafka-ui-demo.json
โ โโโ kafka-ui-dev.json
โ โโโ docs.json
โโโ main.tf # Terraform configuration
โโโ providers.tf # Cloudflare provider
โโโ backend.hcl # S3 backend config
โโโ variables.tf # Variable definitions
๐ Application JSON Schemaยถ
Required Fields:
- name: Display name for the application
- domain: Full domain (e.g., app.env.unibeam.com)
- policies: Array of policy objects with name and precedence
Optional Fields:
- logo_url: URL to application logo (default: Cloudflare logo)
- session_duration: Session timeout (default: 12h)
- skip_interstitial: Skip Cloudflare interstitial page (default: true)
- app_launcher_visible: Show in Access portal (default: true)
- tags: Array of tags for organization (default: [])
- cors_headers: CORS configuration for API applications (optional)
Example with CORS:
{
"name": "API Service",
"domain": "api.demo.unibeam.com",
"session_duration": "24h",
"cors_headers": {
"allow_credentials": true,
"allowed_methods": ["GET", "POST", "PUT", "DELETE"],
"allowed_origins": ["https://dashboard.demo.unibeam.com"],
"allowed_headers": ["Authorization", "Content-Type"],
"max_age": 3600
},
"policies": [
{
"name": "Zero-Trust_Devops",
"precedence": 1
}
],
"tags": ["API", "Demo"]
}
๐ Maintenanceยถ
๐ Regular Tasksยถ
- Quarterly Review: Audit EntraID group memberships
- Session Duration: Review and adjust based on security requirements
- IP Whitelist: Update NAT gateway IPs as infrastructure changes
- Policy Updates: Adjust policies based on access patterns
- Application Cleanup: Remove unused application JSON files
๐ง Configuration Updatesยถ
All Zero-Trust configuration is managed via Terraform in the iac repository:
- Applications Directory:
managed-services/components/zero-trust-applications/applications/ - Global Config:
managed-services/global-variables.tfvars - IP Whitelist:
managed-services/components/zero-trust-policy/ip_list.txt - Branch:
zero-trust - Deployment: Automated via GitHub Actions
Best Practice
Always test configuration changes in non-production environments (Dev/Demo) before applying to production.
๐๏ธ Managing Applicationsยถ
Add New Application:
1. Create JSON file in applications/ directory
2. Commit to zero-trust branch
3. GitHub Actions deploys automatically
Modify Existing Application:
1. Edit JSON file in applications/ directory
2. Commit changes
3. Terraform updates application configuration
Remove Application:
1. Delete JSON file from applications/ directory
2. Commit changes
3. Terraform destroys Cloudflare resources (with prune: true)
Destructive Action
Deleting an application JSON file will remove the Cloudflare Access application and DNS records. Ensure this is intentional before committing.
๐ Viewing All Applicationsยถ
List all configured applications:
View application details:
Search for applications by tag: