https://github.com/osquery/osquery logo
Title
p

PJ Meyer

07/08/2020, 4:15 PM
hey all, is anyone here familiar with hosting Fleet externally and securely? i currently have 3 Fleet VMs on a GCP project (internal only), along with a load balancer that i'm now exposing publicly, and it all works fine, but ideally i'd not want to serve the administration interface publicly, only exposing an edge point for osquery check-ins, is this possible?
b

blaedj

07/08/2020, 4:19 PM
this is a fairly common situation, there may be other discussions in this channel, but https://osquery.slack.com/archives/C1XCLA5DZ/p1579124756010600 is one discussion of this issue
a

Alexandr Ivanov

07/08/2020, 4:53 PM
We have similar case and we have set up HTTPS GLB with Path rules, which restrict for public only osquery-needed handlers (/enroll,/log,/dstributed/.. etc) using CloudArmor policies
c

CptOfEvilMinions

07/08/2020, 6:25 PM
You could also implement mutual TLS/client certs to restrict access as well.
p

PJ Meyer

07/09/2020, 1:28 PM
thank you for all the above!!