Secure Public Ingress
Originally
ADR--0140-Secure Public Ingress (v8) · Source on Confluence ↗Secure Public Ingress
| Traceability Links | |
|---|---|
| Jama Requirements | UERQ-SYS-1712 (FedRAMP Authorization) UERQ-SYS-1726 (FedRAMP Boundary Ingestion) FAS security requirements (UERQ-SYS-1509 through UERQ-SYS-1512) |
| Jira Tasks |
Context
The Secure Sandbox requires a scalable ingress architecture that meets ITAR and FedRAMP Moderate requirements. The system is designed to eventually reside within a GCP Assured Workloads boundary. To minimize transition risk and technical debt, all infrastructure decisions made in the Sandbox must be inherently compatible with the “U.S. Person” and “Sovereign Boundary” constraints of the restricted production environment.
The selection of the public ingress stack was based on compliance, technical, and operational pillars:
Compliance Requirements
| Requirement | GCP | Cloudflare |
|---|---|---|
| U.S. Person-only support tiers (ITAR §120.10) | Yes, with Assured Workloads | Not available |
| Hardened “front door” capable of mTLS termination and DDoS mitigation (Boundary Protection NIST SC-7) | Yes, Cloud Armor and Load Balancer | Yes |
| Metadata that reveals operational “Patterns of Life” must be contained within a regulated boundary (Information Flow Enforcement NIST AC-4). | Yes, with Assured Workloads | Yes, Regional Services add-on |
| Decryption and content restricted to U.S.-only locations (ITAR §120.10, NIST AC-4). | Native, with regional load balancers, and Cloud CDN | Yes, Regional Services add-on |
| Allow only cryptographically authorized sessions (Authorization NIST AC-3, IA-8). | Yes, Signed URLs | Possible with custom configuration to validate and sign. |
| A clear audit trail of who accessed which assets (Auditability NIST AU-2). | Yes, unified Audit and Data Access logs, Signed URLs | Provides URL log for “what”, must be mapped with GKE/IAM logs for “who” |
Technical Requirements
| Requirement | GCP | Cloudflare |
| DNSSEC Enforcement | Manual setup/rotation via Terraform/API. | One-click; automated key rotation. |
| Traffic Steering | Geo-Steering: Basic (steer by GCP region). | Geo-Steering**:** Advanced (steer by PoP latency). |
| Edge Intelligence | Resolution only; requires separate filtering tools. | Block “Lookalike” or malicious domains at the edge. |
| FedRAMP Control | Inherit CP-8 (Availability) & SC-20 (DNS). | Inherit CP-8 (Availability) & SC-20 (DNS). |
| Request Inspection | Limited: 8KB (Default) to 64KB (Standard). L4 DPI: Requires Enterprise tier | Deep**:** Up to 128KB (Standard) or 500MB (Ent). |
| API Discovery | Manual: You must define paths/schemas yourself. | Automatic**:** Detects new endpoints & schemas. |
| Adaptive Protection | Requires Enterprise tier ($3k/mo) for ML. | Included; ML-based anomaly detection. |
| Rate Limiting | Basic (by IP or User-Agent). | Advanced (by Cookie, Header, or ASN). |
| FIPS 140-2/3 | Native to Google Front End (GFE) in Assured. | Enabled via “FIPS Mode” toggle. |
| mTLS Termination | Terminated at the Global Load Balancer (GCLB). | Terminated at the Cloudflare Edge. |
| Client Auth (mTLS) | Requires manual CRL/OCSP management. | Integrated “API Shield”; easy cert revocation. |
| Private CA Support | Native: Integrated with GCP Private CA Service. | Limited (mostly for internal tunneling). |
| Automated Renewal | Fully managed (Google Trust Services). | Fully managed (Digicert/Google/Let’s Encrypt). |
| Traffic Optimization | Native: Cloud CDN to offload static assets | Native: Cloudflare CDN |
| Requirement | GCP | Cloudflare |
| Operational Toil | Medium: Three separate tools to sync, mitigate by using only IaC. | Low: One UI for DNS, WAF, Certs. |
| Support Model | PaaS Support: You fix the “Config.” | SaaS Support: They fix the “Box.” |
| Policy Portability | Lock-in: Armor is tied to GCP GCLB. | Cloud-Agnostic: Move origins easily. |
| Audit Evidence | Logs split between DNS, Armor, and GCLB, but can be sent to same “log sink.” | Centralized logs for all edge events. |
Decision
We will utilize the GCP-Native Edge Stack (Cloud DNS, Cloud Armor, Certificate Manager, and Cloud CDN) for the Secure Sandbox. The decision was driven by nature of the data, which must satisfy FedRAMP Moderate/High and ITAR requirements. A critical component of these frameworks is the protection of “Technical Data,” which includes not only payload data but also the network metadata (IP patterns, system fingerprints, and security logs) that reveals the design or operational capacity of the system. Cloudflare cannot guarantee U.S.-only support to meet that requirement.
Consequences
Positive
By avoiding vendors that cannot guarantee U.S. Person support, we simplify the NIST SA-9 (External Services) and AC-4 (Information Flow) documentation. GCP meets the compliance requirements for the restricted protection environment with Assured Workloads.
Since the WAF and DNS services are native to the GCP project:
- Network metadata (IP logs, DNS queries, security events) never leave the boundary.
- Don’t have to “punch holes” for an external IP range in the VPC Service Control policy.
- The logs are already in the same format and flow into the same Cloud Logging buckets. Sending to the chosenSIEM is a single “sink” configuration.
By maintaining architectural parity between the Sandbox and the restricted production environment, we ensure that security controls validated during the development phase are functionally equivalent upon deployment. This eliminates ‘Architectural Drift’ and ensures that the NIST CM-6 (Configuration Settings) applied in the restricted environment have been pre-vetted for operational stability, without requiring non-U.S. persons to access the production boundary.
TLS termination on the GCLB utilizes FIPS 140-3 validated cryptographic modules (BoringCrypto). This provides native compliance with SC-13.
Direct ingress via the Global External Application Load Balancer (GCLB) reduces round-trip latency by removing the third-party proxy layer.
Telemetry enters the Google network at the nearest Edge Point of Presence and travels over Google’s private fiber backbone, minimizing jitter and ensuring CP-8 (Availability) for real-time streams.
Cloud DNS satisfies CP-8 by providing a 100% uptime SLA through a global anycast network, ensuring endpoint resolution even during regional outages or large-scale DDoS events.
GCP Certificate Manager automates the rotation and management, as well as, can be integrated with the GCP Private CA Service for a strictly internal, U.S.-only root of trust for all identities, if required.
Using GCP native tools allows the team to utilize a single Customer Responsibility Matrix for operational efficiency.
Negative
- Cloud Armor may require more manual tuning of the OWASP Core Rule Set (CRS).
- While Cloud Armor Enterprise has adaptive protection, there may be more manual work to define what a “normal” request looks like compared to a “malicious” one.
- Configurations for
Alternatives Considered
Cloudflare (Commercial & Government)
Cloudflare, our current standard for non-regulated products, was evaluated as a potential Edge Security and CDN provider due to its reputation for ease of use and advanced bot management capabilities. A third-party edge provider like Cloudflare offers the potential for “Cloud Agnostic” portability. Theoretically, this would allow DroneUp to move the telemetry backend to another CSP (Cloud Service Provider) without reconfiguring the global entry point, DNS, or WAF rules. However, to meet federal requirements, this would have required a separate account in the Cloudflare for Government offering under an Enterprise plan.
- Sovereignty & U.S. Person Constraint (ITAR / NIST SA-9): Cloudflare for Government offers a secure environment but can’t ensure a fully “U.S. Person-only” support chain for all account and operational metadata. Metadata like connection logs and support interactions are sensitive. Using a provider with global support poses an unacceptable “Deemed Export” risk.
- Architectural Parity & Testing Fidelity (NIST CP-8): Using Cloudflare in Sandbox but GCP-Native in Production causes “Dual Architecture” friction. Sandbox tests won’t match Production for latency, WAF tuning, or VPC-SC enforcement. Sticking to GCP-Native ensures “tested code is production code,” reducing deployment outage risks.
- Audit Fragmentation (NIST AU-2 / SC-23): A hybrid stack splits the session audit trail. Linking a Keycloak identity in GKE to a Cloudflare request log needs manual “log stitching.” The GCP-Native stack offers a unified identity-to-edge audit trail for real-time tracking of Authority User access to ITAR-protected map assets.
- Security Perimeter Complexity (NIST SC-7): A third-party WAF requires maintaining manual IP-based “allowlists” and punching holes in the VPC-SC perimeter. By staying native, we utilize Identity-based trust, which is more secure and reduces the “operational toil.”
Formal Impact
ATOMx
Compliance Traceability Matrix (NIST 800-53 Moderate/ITAR)
| NIST Control | Control Name | GCP Component | Implementation Detail | FedRAMP/ITAR Significance |
| AC-3 | Access Enforcement | GCLB / Cloud Armor / Cloud CDN | Uses URL maps and WAF rules to enforce “Least Privilege” at the network edge. | Prevents unauthorized entities from hitting backend APIs. |
| AC-4 ITAR §120.10 | Information Flow Enforcement | VPC-SC / Cloud Armor | Restricts data transit within the Assured Workloads perimeter; inspects packet payloads. | Ensures metadata doesn’t leak to non-U.S. persons. |
| AC-6 | Least Privilege | Cloud IAM / Cloud CDN Signed URLs | The Signed URL only grants access to one specific file for a limited time. | Provides audit trail of who accessed what |
| AU-2 | Event Logging | Cloud Logging | Aggregates all GCLB request logs and Cloud Armor security events. | Provides the “Paper Trail” for the 3PAO audit. |
| CP-8 | Availability | Cloud DNS / GCLB | Global Anycast and multi-region failover for the 4 AOC ingest points. | Ensures telemetry stays active during regional outages. |
| IA-3 | Device Identification & Authentication | Certificate Manager | Enforces mTLS; validates certificates against a Trusted CA. | Ensures only “Trusted Defense Articles” can talk to the cloud. |
| SC-5 | Denial of Service Protection | Cloud Armor Enterprise | ML-based Adaptive Protection mitigates volumetric and L7 DDoS attacks. | Protects the telemetry from being drowned out by malicious traffic. |
| SC-7 | Boundary Protection | Cloud Armor / GCLB | Acts as the “Single Front Door”; replaces external WAFs (Cloudflare). | Consolidates the audit surface into one boundary. |
| SC-8 | Transmission Confidentiality/Integrity | GCLB (SSL/TLS) | Mandates TLS 1.2+ for all UI traffic and mTLS for all telemetry. | Protects “Technical Data” during transit over public networks. |
| SC-12 | Crypto Key Establishment/Mgmt | Certificate Manager / CAS | Automates the lifecycle of mTLS certificates and SSL keys. | Reduces “Toil” and risk of manual key rotation errors. |
| SC-13 | Use of Cryptography | GCLB / Cloud Armor | Use FIPS 140-3 validated modules for all termination. | Mandatory: Federal workloads must use validated crypto. |
| SC-20 | Secure Name/Address Resolution | Cloud DNS | Implements DNSSEC to prevent hijacking and spoofing. | Prevents “Man-in-the-Middle” redirection of drone traffic. |
| SC-23 | Session Protect/Affinity | Cloud CDN / GCLB | The URL signature is unique to that user’s request, preventing “Link Sharing.” GCLB steers session to same pod for state management. | Mandates unique session IDs that are complex enough to resist “brute force” guessing. Easier to correlate logs for a single user. |