From 66feae671266fee9796cffb580487ee282f29d3a Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Wed, 15 Apr 2026 16:25:12 +1000 Subject: [PATCH 1/5] Add inbound/outbound rule for Azure --- docs/guides/operator-guide-azure-enclave.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/guides/operator-guide-azure-enclave.md b/docs/guides/operator-guide-azure-enclave.md index 38c198f31..6a44d2995 100644 --- a/docs/guides/operator-guide-azure-enclave.md +++ b/docs/guides/operator-guide-azure-enclave.md @@ -179,6 +179,18 @@ The following diagram illustrates the virtual private cloud that hosts a UID2 Pr ![VPC Network](images/operator-azure-drawio.png) +#### Network Security Group Policy + +:::note +To avoid passing certificates associated with your domain into the enclave, inbound HTTP is allowed instead of HTTPS. This also avoids the cost of a secure layer, if used in a private network that is internal to your organization. +::: + +| Port Number | Direction | Protocol | Description | +| ----------- | --------- | -------- | ------ | +| 80 | Inbound | HTTP | Serves all UID2 APIs, including the healthcheck endpoint `/ops/healthcheck`.
When everything is up and running, the endpoint returns HTTP 200 with a response body of `OK`. For details, see [Running the Health Check](#running-the-health-check). | +| 9080 | Inbound | HTTP | Serves Prometheus metrics (`/metrics`). For details, see [Scraping Metrics](#scraping-metrics). | +| 443 | Outbound | HTTPS | Calls the UID2 Core Service and Azure Blob Storage, to download files for opt-out data and key store. | + Follow these steps: 1. (Optional) If you don't want to accept the defaults, update the `vnet.parameters.json` file with the following values. These parameters have default values and in most cases you won't need to make any updates. From 275d9745bcbd69f0538bdf66a8866252caf767fb Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Thu, 16 Apr 2026 09:40:49 +1000 Subject: [PATCH 2/5] Apply suggestion from @genwhittTTD Co-authored-by: Gen Whitt <107279666+genwhittTTD@users.noreply.github.com> --- docs/guides/operator-guide-azure-enclave.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/guides/operator-guide-azure-enclave.md b/docs/guides/operator-guide-azure-enclave.md index 6a44d2995..60ba3da72 100644 --- a/docs/guides/operator-guide-azure-enclave.md +++ b/docs/guides/operator-guide-azure-enclave.md @@ -184,7 +184,7 @@ The following diagram illustrates the virtual private cloud that hosts a UID2 Pr :::note To avoid passing certificates associated with your domain into the enclave, inbound HTTP is allowed instead of HTTPS. This also avoids the cost of a secure layer, if used in a private network that is internal to your organization. ::: - +The following table provides information about supported protocols. | Port Number | Direction | Protocol | Description | | ----------- | --------- | -------- | ------ | | 80 | Inbound | HTTP | Serves all UID2 APIs, including the healthcheck endpoint `/ops/healthcheck`.
When everything is up and running, the endpoint returns HTTP 200 with a response body of `OK`. For details, see [Running the Health Check](#running-the-health-check). | From 95c9963f05cfa1a0e97cf25d07708d1166f5675a Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Thu, 16 Apr 2026 09:40:58 +1000 Subject: [PATCH 3/5] Apply suggestion from @genwhittTTD Co-authored-by: Gen Whitt <107279666+genwhittTTD@users.noreply.github.com> --- docs/guides/operator-guide-azure-enclave.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/guides/operator-guide-azure-enclave.md b/docs/guides/operator-guide-azure-enclave.md index 60ba3da72..efd6bca45 100644 --- a/docs/guides/operator-guide-azure-enclave.md +++ b/docs/guides/operator-guide-azure-enclave.md @@ -182,7 +182,7 @@ The following diagram illustrates the virtual private cloud that hosts a UID2 Pr #### Network Security Group Policy :::note -To avoid passing certificates associated with your domain into the enclave, inbound HTTP is allowed instead of HTTPS. This also avoids the cost of a secure layer, if used in a private network that is internal to your organization. +To avoid passing certificates associated with your domain into the enclave, only inbound HTTP is allowed. Inbound HTTPS is not allowed. This also avoids the extra cost of another secure layer in a network that's already private and internal to your organization. ::: The following table provides information about supported protocols. | Port Number | Direction | Protocol | Description | From 8f5f380b50f69298b5a39a50e2355685214417e3 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Thu, 16 Apr 2026 09:45:14 +1000 Subject: [PATCH 4/5] Change title level --- docs/guides/operator-guide-azure-enclave.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/guides/operator-guide-azure-enclave.md b/docs/guides/operator-guide-azure-enclave.md index efd6bca45..e4d3aff04 100644 --- a/docs/guides/operator-guide-azure-enclave.md +++ b/docs/guides/operator-guide-azure-enclave.md @@ -171,15 +171,7 @@ Follow these steps: az deployment group create --name vault --resource-group {RESOURCE_GROUP_NAME} --parameters vault.parameters.json --template-file vault.json ``` -### Set Up the VPC Network - -The next step is to set up the VPC network. - -The following diagram illustrates the virtual private cloud that hosts a UID2 Private Operator in Microsoft Azure. - -![VPC Network](images/operator-azure-drawio.png) - -#### Network Security Group Policy +### Network Security Group Policy :::note To avoid passing certificates associated with your domain into the enclave, only inbound HTTP is allowed. Inbound HTTPS is not allowed. This also avoids the extra cost of another secure layer in a network that's already private and internal to your organization. @@ -191,6 +183,14 @@ The following table provides information about supported protocols. | 9080 | Inbound | HTTP | Serves Prometheus metrics (`/metrics`). For details, see [Scraping Metrics](#scraping-metrics). | | 443 | Outbound | HTTPS | Calls the UID2 Core Service and Azure Blob Storage, to download files for opt-out data and key store. | +### Set Up the VPC Network + +The next step is to set up the VPC network. + +The following diagram illustrates the virtual private cloud that hosts a UID2 Private Operator in Microsoft Azure. + +![VPC Network](images/operator-azure-drawio.png) + Follow these steps: 1. (Optional) If you don't want to accept the defaults, update the `vnet.parameters.json` file with the following values. These parameters have default values and in most cases you won't need to make any updates. From b27b46f241e9dd895bcb85e635d875442b7bc425 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Thu, 16 Apr 2026 09:46:25 +1000 Subject: [PATCH 5/5] Change healthcheck to health check --- docs/guides/operator-guide-azure-enclave.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/guides/operator-guide-azure-enclave.md b/docs/guides/operator-guide-azure-enclave.md index e4d3aff04..213f598ec 100644 --- a/docs/guides/operator-guide-azure-enclave.md +++ b/docs/guides/operator-guide-azure-enclave.md @@ -179,7 +179,7 @@ To avoid passing certificates associated with your domain into the enclave, only The following table provides information about supported protocols. | Port Number | Direction | Protocol | Description | | ----------- | --------- | -------- | ------ | -| 80 | Inbound | HTTP | Serves all UID2 APIs, including the healthcheck endpoint `/ops/healthcheck`.
When everything is up and running, the endpoint returns HTTP 200 with a response body of `OK`. For details, see [Running the Health Check](#running-the-health-check). | +| 80 | Inbound | HTTP | Serves all UID2 APIs, including the health check endpoint `/ops/healthcheck`.
When everything is up and running, the endpoint returns HTTP 200 with a response body of `OK`. For details, see [Running the Health Check](#running-the-health-check). | | 9080 | Inbound | HTTP | Serves Prometheus metrics (`/metrics`). For details, see [Scraping Metrics](#scraping-metrics). | | 443 | Outbound | HTTPS | Calls the UID2 Core Service and Azure Blob Storage, to download files for opt-out data and key store. |