hey all, is anyone here familiar with hosting Flee...
# kolide
hey all, is anyone here familiar with hosting Fleet externally and securely? i currently have 3 Fleet VMs on a GCP project (internal only), along with a load balancer that i'm now exposing publicly, and it all works fine, but ideally i'd not want to serve the administration interface publicly, only exposing an edge point for osquery check-ins, is this possible?
this is a fairly common situation, there may be other discussions in this channel, but https://osquery.slack.com/archives/C1XCLA5DZ/p1579124756010600 is one discussion of this issue
We have similar case and we have set up HTTPS GLB with Path rules, which restrict for public only osquery-needed handlers (/enroll,/log,/dstributed/.. etc) using CloudArmor policies
You could also implement mutual TLS/client certs to restrict access as well.
thank you for all the above!!