• p

    PJ Meyer

    2 years ago
    hey all, is anyone here familiar with hosting Fleet externally and securely? i currently have 3 Fleet VMs on a GCP project (internal only), along with a load balancer that i'm now exposing publicly, and it all works fine, but ideally i'd not want to serve the administration interface publicly, only exposing an edge point for osquery check-ins, is this possible?
  • b

    blaedj

    2 years ago
    this is a fairly common situation, there may be other discussions in this channel, but https://osquery.slack.com/archives/C1XCLA5DZ/p1579124756010600 is one discussion of this issue
  • a

    Alexandr Ivanov

    2 years ago
    We have similar case and we have set up HTTPS GLB with Path rules, which restrict for public only osquery-needed handlers (/enroll,/log,/dstributed/.. etc) using CloudArmor policies
  • CptOfEvilMinions

    CptOfEvilMinions

    2 years ago
    You could also implement mutual TLS/client certs to restrict access as well.
  • p

    PJ Meyer

    2 years ago
    thank you for all the above!!