Tags:
Categories:

Aura security and networks

Scope: Key information regarding Aura security and networks, applicable to both Aura Virtual Assistant and ATRIA

Aura Security group

In each Aura installation, we create/update rules to allow access only to the public endpoint through ports 443 from Internet.

Blob encryption

By default, the blob storage in Aura is not encrypted with our own key but, by default, Azure encrypts every resource.

You can see more info in Microsoft Azure Storage encryption documentation.

Aura Network Policies

Policy 1 - alertmanager-network-policy

Ingress

  • Allows pods in namespace aura-system with labels app: alertmanager to receive traffic from pods with labels networking/allow-pod-alertmanager-access: true in namespaces with labels networking/allow-namespace-alertmanager-access: true on ports TCP http and TCP cluster
    • app: alertmanager
      • namespace: aura-system statefulset.apps/alertmanager
    • networking/allow-pod-alertmanager-access
      • namespace: aura-$ENV deployments.apps/nginx
      • namespace: aura-system deployments.apps/prometheus-msteams
    • networking/allow-namespace-alertmanager-access
      • namespace: aura-system
      • namespace: aura-$ENV

Policy 2 - elasticsearch-exporter-network-policy

Ingress

  • Allows pods in namespace aura-system with labels app: elasticsearch-exporter to receive traffic from pods with labels networking/allow-pod-elasticsearch-exporter-access: true in namespaces with labels networking/allow-namespace-elasticsearch-exporter-access: true on port TCP 9114
    • app: elasticsearch-exporter
      • namespace: aura-system deployment.apps/elasticsearch-exporter
    • networking/allow-pod-elasticsearch-exporter-access
      • namespace: aura-system statefulsets.apps/prometheus
    • networking/allow-namespace-elasticsearch-exporter-access
      • namespace: aura-system

Policy 3 - elasticsearch-network-policy

Ingress

  • Allows pods in namespace aura-system with labels app: elasticsearch to receive traffic from all pods in namespaces with labels networking/allow-namespace-elasticsearch-access: true on ports TCP 9200 and TCP 9300
    • app: elasticsearch
      • namespace: aura-system elasticsearch.k8s.elastic.co/elasticsearch
    • networking/allow-namespace-elasticsearch-access
      • namespace: aura-system
      • namespace: aura-$ENV
  • Allows pods in namespace aura-system with labels app: elasticsearch to receive traffic from pods in the same namespace with labels networking/allow-pod-elasticsearch-access: true on ports TCP 9200 and TCP 9300
    • app: elasticsearch
      • namespace: aura-system elasticsearch.k8s.elastic.co/elasticsearch
    • networking/allow-pod-elasticsearch-access
      • namespace: aura-system deployments.apps/kibana-kb
      • namespace: aura-system deployments.apps/elasticsearch-exporter
      • namespace: aura-$ENV deployments.apps/nginx

Policy 4 - fluent-bit-aggregator-network-policy

Ingress

  • Allows pods in namespace aura-system with labels app: fluent-bit-aggregator to receive traffic from pods with labels networking/allow-pod-fluent-bit-aggregator-access: true in namespaces with labels networking/allow-namespace-fluent-bit-aggregator-access: true on port TCP http
    • app: fluent-bit-aggregator
      • aura-system statefulset.apps/fluent-bit-aggregator
    • networking/allow-namespace-fluent-bit-aggregator-access
      • aura-system
    • networking/allow-pod-fluent-bit-aggregator-access
      • aura-system deployments.apps/azure-logger

Policy 5 - fluent-bit-network-policy

Ingress

  • Allows pods in namespace aura-system with labels app: fluent-bit to receive traffic from pods with labels networking/allow-pod-fluent-bit-access: true in namespaces with labels networking/allow-namespace-fluent-bit-access: true on port TCP metrics
    • app: fluent-bit
      • namespace: aura-system daemonset.apps/fluent-bit
    • networking/allow-namespace-fluent-bit-access
      • namespace: aura-system
    • networking/allow-pod-fluent-bit-access
      • namespace: aura-system deployments.apps/azure-logger

Policy 6 - grafana-network-policy

Ingress

  • Allows pods in namespace aura-system with labels app: grafana to receive traffic from pods with labels networking/allow-pod-grafana-access: true in namespaces with labels networking/allow-namespace-grafana-access: true on port TCP http
    • app: grafana
      • namespace: aura-system job.batch/grafana-provision
      • namespace: aura-system statefulset.apps/grafana
    • networking/allow-pod-grafana-access
      • namespace: aura-$ENV deployments.apps/nginx
    • networking/allow-namespace-grafana-access
      • namespace: aura-system
      • namespace: aura-$ENV

Policy 7 - kibana-network-policy

Ingress

  • Allows pods in namespace aura-system with labels app: kibana to receive traffic from all pods in namespaces with labels networking/allow-namespace-kibana-access: true on port TCP 5601
    • app: kibana
    • namespace: aura-system deployments.apps/kibana-kb
    • networking/allow-namespace-kibana-access
      • namespace: aura-system
      • namespace: aura-$ENV
  • Allows pods in namespace aura-system with labels app: kibana to receive traffic from pods in the same namespace with labels networking/allow-pod-kibana-access: true on port TCP 5601
    • app: kibana
    • namespace: aura-system deployments.apps/kibana-kb
    • networking/allow-namespace-kibana-access
      • namespace: aura-system deployments.apps/kibana-kb
      • namespace: aura-$ENV deployments.apps/nginx

Policy 8 - mongodb-exporter-network-policy

Ingress

  • Allows pods in namespace aura-system with labels app: mongodb-exporter to receive traffic from pods with labels networking/allow-pod-mongodb-exporter-access: true in namespaces with labels networking/allow-namespace-mongodb-exporter-access: true on port TCP metrics
    • app: mongodb-exporter
      • namespace: aura-system deployments.apps/mongodb-exporter
    • networking/allow-pod-mongodb-exporter-access
      • namespace: aura-system statefulset.apps/prometheus
    • networking/allow-namespace-mongodb-exporter-access
      • namespace: aura-system

Policy 9 - mongodb-network-policy

Ingress

  • Allows pods in namespace aura-system with labels app: mongodb to receive traffic from pods with labels networking/allow-pod-mongodb-access: true in namespaces with labels networking/allow-namespace-mongodb-access: true on port TCP mongodb
    • app: mongodb
      • namespace: aura-system deployments.apps/mongodb
      • namespace: aura-system job.batch/mongodb-provision
    • networking/allow-pod-mongodb-access
      • namespace: aura-system deployments.apps/mongodb-exporter
      • namespace: aura-$ENV deployments.apps/aura-bot
      • namespace: aura-$ENV deployments.apps/aura-bridge
      • namespace: aura-$ENV deployments.apps/authentication-api
      • namespace: aura-$ENV deployments.apps/tac
    • networking/allow-namespace-mongodb-access
      • namespace: aura-system
      • namespace: aura-$ENV

Policy 10 - node-exporter-network-policy

Ingress

  • Allows pods in namespace aura-system with labels app: node-exporter to receive traffic from pods with labels networking/allow-pod-node-exporter-access: true in namespaces with labels networking/allow-namespace-node-exporter-access: true on port TCP metrics
    • app: node-exporter
      • namespace: aura-system daemonset.apps/node-exporter
    • networking/allow-pod-node-exporter-access
    • networking/allow-namespace-node-exporter-access
      • namespace: aura-system

Policy 11 - prometheus-msteams-network-policy

Ingress

  • Allows pods in namespace aura-system with labels app: prometheus-msteams to receive traffic from pods with labels networking/allow-pod-prometheus-msteams-access: true in namespaces with labels networking/allow-namespace-prometheus-msteams-access: true on port TCP http
    • app: prometheus-msteams
      • namespace: aura-system deployments.apps/prometheus-msteams
    • networking/allow-pod-prometheus-msteams-access
      • namespace: aura-system deployments.apps/prometheus-msteams
    • networking/allow-namespace-prometheus-msteams-access
      • namespace: aura-system

Policy 12 - prometheus-network-policy

Ingress

  • Allows pods in namespace aura-system with labels app: prometheus to receive traffic from pods with labels networking/allow-pod-prometheus-access: true in namespaces with labels networking/allow-namespace-prometheus-access: true on ports TCP http, TCP exposed and TCP 10901
    • app: prometheus
      • namespace: aura-system statefulset.apps/prometheus
    • networking/allow-pod-prometheus-access
      • namespace: aura-system deployment.apps/elasticsearch-exporter
      • namespace: aura-system deployments.apps/mongodb-exporter
      • namespace: aura-system deployments.apps/thanos-querier
      • namespace: aura-$ENV deployments.apps/aura-bot
      • namespace: aura-$ENV deployments.apps/aura-bridge
      • namespace: aura-$ENV deployments.apps/nginx
      • namespace: aura-$ENV deployments.apps/context
      • namespace: aura-$ENV deployments.apps/tac
      • namespace: aura-$ENV deployments.apps/npl
    • networking/allow-namespace-prometheus-access
      • namespace: aura-system
      • namespace: aura-$ENV

Policy 13 - pushgateway-network-policy

Ingress

  • Allows pods in namespace aura-system with labels app: pushgateway and release: pushgateway to receive traffic from all pods in namespaces with labels networking/allow-namespace-pushgateway-access: true on port TCP 9091
    • app: pushgateway
      • namespace: aura-system deployment.apps/pushgateway
    • networking/allow-namespace-pushgateway-access
      • namespace: aura-system
      • namespace: aura-$ENV
  • Allows pods in namespace aura-system with labels app: pushgateway and release: pushgateway to receive traffic from pods in the same namespace with labels networking/allow-pod-pushgateway-access: true on port TCP 9091
    • app: pushgateway
      • namespace: aura-system deployment.apps/pushgateway
    • networking/allow-pod-pushgateway-access
      • namespace: aura-$ENV deployments.apps/nlp-provisioning

Policy 14 - redis-network-policy

Ingress

  • Allows pods in namespace aura-system with labels app: redis to receive traffic from pods with labels networking/allow-pod-redis-access: true in namespaces with labels networking/allow-namespace-redis-access: true on ports TCP 6379, TCP 26379 and TCP 9121
    • app: redis
      • namespace: aura-system statefulset.apps/redis
    • networking/allow-pod-redis-access
      • namespace: aura-$ENV deployments.apps/context
    • networking/allow-namespace-redis-access
      • namespace: aura-system
      • namespace: aura-$ENV

Policy 15 - thanos-network-policy

Ingress

  • Allows pods in namespace aura-system with labels app: thanos to receive traffic from pods with labels networking/allow-pod-thanos-access: true in namespaces with labels networking/allow-namespace-thanos-access: true on ports TCP 10901 and TCP 10902
    • app: thanos
    • networking/allow-pod-thanos-access
      • namespace: aura-system statefulset.apps/thanos-store-gateway
    • networking/allow-namespace-thanos-access
      • namespace: aura-system
      • namespace: aura-$ENV
Last modified May 18, 2026: Remove KGB (52b04d91)