Minimal security protections()

in dialogflow-cx/vpc-sc-demo/frontend/src/HomePage.js [237:276]
39 lines of code
5 McCabe index (conditional complexity)

        Minimal security protections (only IAM permissions protecting ingress to
        Dialogflow CX and Cloud Functions for all authenticated users)
        represented by the red-dotted line from &quot;User&quot; icons with the
        blocked-key indicating unauthenticated.
      </Typography>
      <Typography paragraph>
        The diagram on the right adds several additional resources and
        configurations to the deployment: IAM and ingress protections on the
        Cloud Function, two VPC-SC perimeters and a reverse proxy server running
        in Google Compute Engine (GCE). The perimeters are represented by the
        red bands around the Dialogflow CX resource group and the Cloud
        Functions resource group, and indicate that external access to these
        service APIs is blocked. The VPC resource block contains the GCE
        instance functioning as a reverse proxy server.
      </Typography>

      <Typography variant="h4" sx={{my: 3}}>
        Securing Webhooks with Webhook Ingress from VPC
      </Typography>
      <Typography paragraph sx={{ml: 2}}>
        Allowing access from the open internet to a Cloud Function that might
        return sensitive information is a security concern, even if IAM
        permissions are already in-place. Credentials are validated based based
        on a user token, and if this token is accidentally mishandled (or
        maliciously compromised) a data breach might result. Because of this, it
        is a good idea to add Ingress protections to the configuration, to
        ensure that only requests originating from a VPC (not the open internet)
        are validated.
      </Typography>
      <Typography paragraph sx={{ml: 2}}>
        However, this poses a challenge when interacting with Dialoglow; webhook
        requests from the agent will originate from outside the VPC, and
        therefore receive a 403 Forbidden response. A reverse proxy service
        (RPS) running inside the VPC can receive the agent request, and redirect
        it Cloud Functions for fulfillment. There are, however several
        complications. First of all, Dialogflow has to be able to find the
        RPS—this is accomplished by configuring a Service Directory Service (and
        Endpoint) to point Dialogflow to the internal IP address on the VPC.
      </Typography>
      {/* eslint-disable no-template-curly-in-string */}