10-18-2024 07:40 AM
INFO: We install OPAs manually, so some answers may change compared to documentation
The reason we did that is that OPA was already viewed as a “foreign agent” with carte blanche to our network by our security team at the time
We now have 2 pre-prod servers installed in 2 of our on prem (non-cloud) data centers the vision being
i. Both acting as active-active nodes behind the same OPA group
ii. A lot of controlled routing from there to our AWS servers, with restrictions and monitoring/alerting in place
QUESTIONS: If we were to eventually switch to letting Workato provision OPAs
What will we gain?
What are best practices and some solutions other customers implemented to mitigate risks of Workato having powerful access to install software on our hosts?
Unqork and/or Workato failover – that is generally covered by a separate conversation, but in terms of OPA – will our OPA(s)
reconnect automatically?
Reconnect upon restart?
Will need any other steps (like config change, credentials change, etc)?
If we must failover our OPA servers – in the scenario of 2 OPAs under the same OPA group:
Will the node that is still up continue to receive all requests?
When restoring the node that went down, no special steps to reconnect?
If we have to rebuild the host (or add a new host) for the failed node – we will use OPA console and install an OPA as for any new install?
Slightly off topic but related – OPA upgrades
1. How will we know when a new version of OPA has to be applied
i. how do we get vuln alerts
ii. release notifications
iii. compatibility matrix/issues
If it must be upgraded, what would be the process?
a month ago
Dear @srikanthunqork
Switching to Workato-provisioned On-Prem Agent (OPA) offers convenience, automation, and some maintenance benefits, but it also raises questions about security, operational management, and failover scenarios. Here's a breakdown of what you can gain, best practices, and steps for managing OPAs in different situations, including failover and upgrades.
What You Will Gain by Switching to Workato-Provisioned OPAs
1. Automated Provisioning & Configuration: Workato automatically handles provisioning, configuration, and upgrades for OPAs. This reduces your operational overhead since you don't need to manually install, configure, or manage OPA nodes.
2. Centralized Management: Workato offers centralized management of OPAs via the OPA Console, allowing you to monitor, configure, and manage multiple agents easily.
3. Automatic Updates: Workato ensures your OPAs are always up to date with the latest security patches, features, and improvements without manual intervention.
4. Optimized Scaling: If your workload increases, Workato can automatically manage scaling, including provisioning additional nodes or resources.
Best Practices and Risk Mitigation Solutions
Since switching to Workato provisioning OPAs could introduce a powerful agent into your network, here are some steps to mitigate risks:
1. Controlled Deployment: Configure role-based access control (RBAC) and least-privilege access to ensure only authorized users can manage or view the OPA configurations and logs.
2. Network Segmentation: Keep your Workato-provisioned OPAs isolated in a segmented network to prevent unrestricted access to critical parts of your infrastructure.
3. Monitoring and Alerts: Set up detailed logging and monitoring with alerting mechanisms to detect unusual activity from the OPA agents. Use network-level monitoring to detect any out-of-pattern behaviors.
4. OPA Firewall Rules: Continue to maintain strict firewall and routing rules to control access between your OPA servers and AWS or other resources. This limits any potential attack vectors.
5. Approval Workflow: Implement an internal approval workflow for any changes that require new OPA deployments or upgrades, ensuring every action is vetted before execution.
Failover & Auto-Reconnect for OPAs
1. Automatic Reconnection: OPAs should reconnect automatically after a restart. Workato handles reconnection via the OPA's secure connection back to the Workato cloud. You shouldn't need to change any configurations or credentials unless something critical (like the API key) is modified.
2. Failover in Active-Active Setup:
- If you have 2 OPAs in an active-active configuration, the remaining OPA node will continue to process requests if the other goes down.
- No manual intervention is needed for failover, as Workato can detect when a node is down and automatically direct traffic to the healthy node.
3. Restoring or Rebuilding a Node:
- If you need to rebuild or replace an OPA node, you would follow the same steps as a new install (using the OPA console to install and provision it).
- Once restored, it will rejoin the OPA group and start processing requests as usual. There should be no need for special steps beyond the standard installation procedure.
OPA Upgrades and Notifications
1. Upgrade Notifications: Workato regularly provides release notes, including upgrade and vulnerability notifications. These can be received via:
- Workato Community and Documentation: Workato regularly posts updates and release notifications.
- Workato’s Admin Console: OPA version updates and upgrade prompts will be visible in the Workato console.
2. Vulnerability Alerts: Workato typically monitors and responds to vulnerability reports, and you will be notified in the console or via email alerts if there are critical vulnerabilities.
3. Compatibility Matrix/Issues: Workato ensures that the OPA versions are compatible with the platform. Release notes will include any potential issues, required upgrades, or changes in support for certain operating systems or environments.
4. Upgrade Process:
- Workato-provisioned OPA: Upgrades happen automatically when a new version is released.
- Self-managed OPA: You will receive upgrade prompts, and you will need to download and apply the new version manually. It will require a restart of the OPA services.
General Considerations
- Custom Configurations: If you have complex routing or custom configurations in place, you may need to carefully review how those are managed during the switch to a Workato-managed OPA, as they may get overwritten or need reconfiguration.
- Security Concerns: Any concerns around Workato’s agent deployment on-premises can be alleviated by isolating it, restricting access, and auditing all activities associated with OPA.
In summary, the move to Workato-provisioned OPAs can simplify many operational tasks like upgrades and failovers. However, to mitigate risks, it's essential to maintain strict security controls, continuous monitoring, and a solid failover plan. If Workato-managed OPAs fit within your company's security posture, they can provide significant operational benefits.