Systems deployed into a cloudspace in one of the local Hanscom clouds or commercial providers (e.g. AWS GovCloud, Azure, etc.) have the ability to reach out of the enclave to the greater network to access resources. Systems deployed in other DoD cloud providers (e.g. DISA milCloud) are subject to the providers standard rules.
Most ports and traffic are allowed, per the latest DoD PPS. If outbound traffic is blocked, submit a support ticket and the request will be reviewed.
By default, no inbound traffic is allowed into the cloudspaces except via the approved application based remote access. User cannot host externally accessible sites or services. Local Hanscom clouds do not host production workloads; they only allow for development, test, integration, and event activities. This is part of the security architecture that allows users to deploy systems without separate ATOs. Commercial and other DoD providers can host production work loads but require IATT/ATOs for the user application and are subject to the requirements of the DoD Cloud Security Guide.
- The simplest way to interact with/test deployed systems is to launch client systems into the cloudspace. For WAN like requirements, additional networks can me constructed using assets int he library (e.g. VyOS) and/or by connecting from additional cloudspaces (requires support ticket)
- Users can request specific, event based exceptions to temporarily allow inbound traffic into their cloudspace for the purposes of a coordinated test event. Request shall be made via support ticket. Not all requests will be granted and are subject to review but the HmC DAA team. The guidelines for requesting an opening are:
- Limited, defined durations
- Specific origination IP address(es) for incoming traffic
- Automated Nessus scan of the environment with no unmitigated Critical or High findings
- Systems built via HmC Application using assets, not by hand (to be reviewed by HmC Site Admins)
- Limited to DoD PPS “green” ports
- Approval from the user’s Government PM for the event
- Inbound to only one project-connected cloudspace