External access in your workspace

External access in your workspace

Introduction

By default myDRE workspaces do not have connection to the internet. This ensures that data within the workspace is secure and auditable - we know what comes in, and what goes out. However, sometimes you do need a connection to a web location, for instance when you want to: 
  1. Connect to an external license server
  2. Connect to an external repository for data or packages
  3. Connect to websites
myDRE platforms offers two ways you can enable external access in your workspace:
  1. By opening up ports (self-service)
  2. By allowlisting certain domains (self-service)
 Please take note of the alerts and warning below.

Please consult your local Support team member if you are not sure which of the two approaches is more suitable for your application of your way of working within the myDRE workspace.
You have to be a workspace Accountable or a Privileged Member to be able to open up ports or request domains to be allowlisted
Enabling external access in your workspace has implications:
Reduced auditability: data can be ingressed and egressed from a VM to external location, bypassing the standard audited myDRE workflows.
Reduced security: it is possible that (accidentally) installed services by a workspace member pose a risk.

Recommendations for reducing risks

We advise to reduce risks associated with enabling external access in myDRE workspace by taking the following measurements:
  1. Inform and train all members of the workspace.
  2. Be mindful when to use the self-service open ports feature or allowlisting certain domains.
  3. Close ports and request removing domains from the allowlist that are not needed, they can be reopened and requested again once required
  4. Install a virusscanner/firewall.

Opening up ports

This feature is a self-service for workspace Accountable and Privileged member
This feature enables you to open up ports to static IP adresses. If you want to make use of dynamic adresses, please use domain allowlisting option. Opening up ports is enabled on the workspace level, and not possible on the VM level.

Outbound ports only.
To reduce the risks associated with outside connection, only outside ports can be opened. Therefore, VMs must initiate the connection to the outside.
External services cannot initiate connection to the inside of a VM.

How to open up ports

  1. Go to you workspace and find the tab: External Access.

  1. Create a new rule by clicking button Add a security rule on the left top side.

  1. Fill in the details and press Add rule.


  1. By default newly created rule is not enabled and needs to be turned on. 

  1. Enable the rule by toggling the Enabled button next to the rule.
  2. Review the Warning, accept the terms by ticking the box and press Turn on.


  1. You can turn off the rule by simply by turning off the Enabled button next to the rule
Please do not create a rule that blocks access to IP 11.5.0.4 port 3128. This IP and port must remain accessible in order to ensure proper functionality of myDRE workspaces, such as domain allowlisting and connecting to virtual machines through Bastion. In the event that this warning is ignored and any bugs or issues arise as a result, it should be noted that they will fall outside of the service level agreement (SLA) provided.
Please be aware that opening ports may have potential security and auditability implications and therefroe it is important to maintain visibility of all potentially accessed rules at all times. As such, any requests to have a rule completely removed or to close a port is currently not a self-service and should be submitted via a ticket on support.mydre.org. Please include details such as the specific rule and the workspace ID it pertains to. 

How do I find the IP address of a website?

There are several ways to find out what the IP address of a particular website is.
Using the command line:
  1. On Windows: cmd, on MacOS: Terminal, on Linux: Telnet/Terminal.
  2. Type ping <hostname> (for instance ping google.com).
  3. This will return an IP address.
  4. Be sure that the IP address does not change several times, we can only whitelist static IP addresses (IP addresses that do not change).
  5. Alternatively, you can use the command nslookup <hostname>; This will give multiple lines of output, you need the IP address mentioned under Addresses.
Using online tools:
  1. There are several online tools that can find the IP address, such as Website IP Checker and many others.
  2. Fill in the website URL and you'll receive an IP address.
  3. Be sure that the IP address does not change several times, we can only whitelist static IP addresses (IP addresses that do not change).
For now, only static IP addresses can be whitelisted. Websites with dynamic IP addresses (IP addresses that change over time) cannot be whitelisted as of now. A prime example of a website with a dynamic IP address is GitHub, which uses a pool of ~200 IP addresses. anDREa is exploring the possibility of URL whitelisting instead of IP whitelisting, however this might be a feature in the future without any guarantees.

Domain allowlisting

Websites with dynamic IP adresses (IP adresses that change over time) can be accessed through domain allowlisting feature. A prime example of a website with a dynamic IP address is GitHub, which uses a pool of ~200 IP addresses.

Domain allowlisting is a feature that allows outbound connection with dynamic IP-addresses; e.g. github.com. This feature is not a replacement for opening up ports, but considered a more safe way to have access to specific addresses. Domain allowlisting is based on the concept where the network traffic from the virtual machine passes through the HTTP Proxy and then an Azure Firewall managed by anDREa. The HTTP Proxy server will only allow traffic to and from domains that have been specified on a whitelist for a specific workspace. This allowlist is currently managed by anDREa support.

Domain allowlisting is suitable for HTTP en HTTPS protocols but not protocols such as FTP. If you have a software or code that relies on FTP, please contact anDREa support via submitting a ticket on support.mydre.org and see further section Requesting full internet access
Domain allowlisting enables adding (sub)domains to the allowlist, but it does work URL level. For example: you are able to allowlist specifically maps.google.com or google.com but not google.com/maps

How to get it?

  1. Submit a ticket to your local Support Team member to request domain allowlisting. Be aware that domain whitelisting is currently an optional feature and your institute might not yet support it. Consult your Local Support team member for availability. 
  2. Specify the workspace that needs access.
  3. Specify the domains that need to be allowlisted
  4. Must be approved by workspace Accountable or Privileged member (e.g. departmental head/Principal Investigator) in the ticket
  5. Once domains have been allowlisted, you will be notified in the ticket. 
Managing the domains being whitelisted is currently a manual action, please keep in mind that once your complete ticket has been submitted, that it might take at least one working day to handle your request.

Which domains to allowlist? 

It is not always clearly stated in the documentation of the application or on the website which domains are required to be allowlisted. Sometimes you are also redirected to another website when certain page is reached.  We have gathered a list of known domains per applications here, but please understand that this is a community effort, if you experience issues, see mistakes/updates, or have other applications that you do know what to allowlist, please send a ticket to your Support Team so that list can be updated. Together we can make it easier for all.

Proxy configurations

Applications might require additional proxy configurations before they allow certain allowlisted domains to be accessed. Unfortunately this varies per each application, therefore please read through the documantation of your particular application. We have gathered here a few most used applications below  but please understand that this is a community effort, if you experience issues, see mistakes/updates, or have other applications that you want to add to the list, please send a ticket to your Support Team so that list can be updated. Together we can make it easier for all.

How do I know which domains is my application using? 

Always in the first place refer to the documenation provided by the application. However, some applications use (sub)domains that are needed, but not (well) documented. There are several ways you can approach this problem. We have listed below two options. Please see these as tips for troubleshooting, not as an advice.  

Option 1: usually an error message is shown with a specific URL that could not be accessed --> Add the domain in the error to the allowlist
Option 2: Use DevTools in your browser (works for websites)
  1. Open your browser and go to the website
  2. Open DevTools (usually ctrl+shift+i)
  3. Click Network
  4. Refresh the page
  5. Look for the URLs for entries that are red

Option 3: Use a programme like Fiddler-classic (specifically for applications)

  1. Download and install Fiddler-classic
  2. Run Fiddler-classic
  3. Run the application
  4. Read in one of the columns of Fiddler-classic the (sub)domains
    1. Don't allow Fiddler related (sub)domains, just look at the last few lines
  5. Ensure the (sub)domains are allowed
  6. If everything works, uninstall Fiddler-classic
  7. Check if proxy settings are still correct
    1. Manual proxy configurations

Requesting full internet access

Be aware that full internet will only be allowed when it can be clearly demostrated that options above (opening up ports or domain allowlisting) are not sufficient. 
With full internet access: anDREa B.V. cannot guarantee the Confidentiality=HIGH, Availability=MEDIUM, and Integrity=MEDIUM and the SLA that is applicable for default Workspace.

Opening up full internet access in a workspace is a last-resort option only. Your support team member will assess whether internet access is necessary

This is an outside-SLA feature. Be aware that full internet access will bring along risks if you have any data in your workspace. This is a last-resort option only if it is really necessary. Your support team member will assess whether internet access is necessary.
Requesting full internet access for a day
Please be aware that only complete requests will be handled. Requests without details below will be denied by default. Please also be aware that this is a manual and planned action for the anDREa team. Therefore, let us know at least one day in advance.

Full internet access will bring along risks. Therefore, users can only request full internet access for a short time period by following the criteria below:
Create a ticket.
  1. Specify the time window and it must take place between 9:00-17:00 normal working days CET (nothing opened before 9:00, everything, regardless will be closed from 17:00 onwards).
  2. Specify the workspace that needs internet access.
  3. Specify the reason for needing full internet access.
  4. Specify why domain whitelisting is not sufficient.
  5. Must be approved by departmental head/Principal Investigator in the ticket.
  6. The requestor must be able to invite an anDREa support member to the workspace in the role of Privileged member.
  1. If finished earlier, immediately contact us to shut it down.
  2. After closing internet access, you can remove the anDREa support member(s) from the workspace.
Take a good look at the External Access tab. Any rules you have created there but have unchecked boxes will not be accessible even with the full internet setting on. Please check the relevant boxes if you also want to visit those webpages. For example: You have created a rule to visit the CRAN to download R packages. You uncheck the box and you request full internet access. You will then be able to go to any webpage except the CRAN.

Requesting internet access for a longer time period

Having permanent full outbound internet might be necessary for a specific Workspace to be able to do what needs to be done. However, this increases the risk for self-installed software/applications that might egress data or receive instructions to corrupt data. Also, data can be intentionally egressed from the Workspace without an audit trail to any target that is accessible via internet.

If the above described risk is acceptable, please understand that you are responsible to take all the necessary mitigating actions that you can do, inform and instruct all the members of the Workspace what they can and should not do.  Also, anDREa B.V. cannot guarantee the Confidentiality=HIGH, Availability=MEDIUM, and Integrity=MEDIUM and the SLA that is applicable for default Workspaces. 

Also, understand that once an outside actor can interact with the Workspace, directly or indirectly, costs, like Microsoft Azure resource consumption, can be triggered.

For requests:
  1. Please confirm (as the Accountable) that you understand the risks described above and take full responsibility for the risk that can impact the Confidentiality, Availability, Integrity, Auditability, and Costs for Workspace [fill in workspace name].
  2. Provide us with the details as described under Requesting full internet access for a day.
  3. Provide us with an end-date when the internet access can be closed or internet access can be re-evaluated

    • Related Articles

    • What is workspace management?

      By workspace management, we mean the administrative tasks that workspace Accountable and Privileged members of the workspace can ánd should perform to ensure smooth operation of the workspace. It includes: Adding, removing, changing roles: so to make ...
    • Domain and IP Allowlisting [External Access]

      Roles for External Access in the Workspace Accountable and Privileged: Read + Write Advanced: Read only Rest All: No access Platform Support Team (PST members): Read + Write These steps will be performed only by the Accountable and Privileged Member ...
    • R and RStudio using External Access rules

      This method of downloading R packages is outdated! This article will not be updated any longer. IP addresses are often subject to change. Therefore, the domain allowlisting feature has been introduced and it is self-service for Accountable and ...
    • What is a workspace?

      A DRE workspace is a self-contained island where you can work and collaborate on your own data. Workspaces are especially suited for the analytical phase of your research; when you already have your data, and you need to prepare, combine and/or ...
    • Roles in myDRE workspace

      Roles are defined per workspace. A myDRE user can have different roles in different workspaces they are part of. Each workspace member can have one of these specified roles within that workspace: Accountable The Accountable is the responsible person ...