# 🔒 Orleans Cluster Security Implementation Checklist ## **Phase 1: Network Infrastructure Security** ⚡ ### **1.1 Network Configuration** - [ ] **Set up private network** (10.x.x.x or 192.168.x.x range) - [ ] **Configure VPN** between trading and compute servers - [ ] **Assign static IPs** to both servers - [ ] **Document network topology** and IP assignments ### **1.2 Firewall Configuration** - [ ] **Trading Server Firewall Rules:** - [ ] Allow PostgreSQL port (5432) from compute server - [ ] Allow Orleans silo port (11111) from compute server - [ ] Allow Orleans gateway port (30000) from compute server - [ ] Block all other incoming connections - [ ] **Compute Server Firewall Rules:** - [ ] Allow PostgreSQL port (5432) from trading server - [ ] Allow Orleans silo port (11121) from trading server - [ ] Allow Orleans gateway port (30010) from trading server - [ ] Block all other incoming connections - [ ] **Database Server Firewall Rules:** - [ ] Allow PostgreSQL port (5432) from both servers only - [ ] Block all other incoming connections ## **Phase 2: Orleans Configuration Security** ⚙️ ### **2.1 Environment Variables** - [ ] **Trading Server Environment:** ```bash export SILO_ROLE=Trading export EXTERNAL_IP=192.168.1.100 export TASK_SLOT=1 export POSTGRESQL_ORLEANS="Host=db-server;Database=orleans;Username=user;Password=secure_password" ``` - [ ] **Compute Server Environment:** ```bash export SILO_ROLE=Compute export EXTERNAL_IP=192.168.1.101 export TASK_SLOT=2 export POSTGRESQL_ORLEANS="Host=db-server;Database=orleans;Username=user;Password=secure_password" ``` ### **2.2 Code Configuration Updates** - [ ] **Add NetworkingOptions security:** ```csharp .Configure(options => { options.OpenTelemetryTraceParent = false; }) ``` - [ ] **Enhance MessagingOptions:** ```csharp .Configure(options => { options.ResponseTimeout = TimeSpan.FromSeconds(60); options.DropExpiredMessages = true; options.MaxMessageBodySize = 4 * 1024 * 1024; options.ClientSenderBuckets = 16; }) ``` - [ ] **Add cluster membership security:** ```csharp .Configure(options => { options.EnableIndirectProbes = true; options.ProbeTimeout = TimeSpan.FromSeconds(10); options.DefunctSiloCleanupPeriod = TimeSpan.FromMinutes(1); options.DefunctSiloExpiration = TimeSpan.FromMinutes(2); }) ``` ## **Phase 3: Database Security** 🗄️ ### **3.1 PostgreSQL Security** - [ ] **Create dedicated Orleans user:** ```sql CREATE USER orleans_user WITH PASSWORD 'secure_password'; GRANT ALL PRIVILEGES ON DATABASE orleans TO orleans_user; ``` - [ ] **Enable SSL/TLS for PostgreSQL:** ```bash # In postgresql.conf ssl = on ssl_cert_file = 'server.crt' ssl_key_file = 'server.key' ``` - [ ] **Configure pg_hba.conf:** ```bash # Only allow connections from specific IPs host orleans orleans_user 192.168.1.100/32 md5 host orleans orleans_user 192.168.1.101/32 md5 ``` ### **3.2 Connection String Security** - [ ] **Use encrypted connection strings** (Azure Key Vault, AWS Secrets Manager) - [ ] **Rotate database passwords** regularly - [ ] **Monitor database access logs** ## **Phase 4: Application Security** 🛡️ ### **4.1 Logging & Monitoring** - [ ] **Add security event logging:** ```csharp .ConfigureLogging(logging => { logging.AddFilter("Orleans", LogLevel.Information); logging.AddFilter("Microsoft.Orleans", LogLevel.Warning); }) ``` - [ ] **Set up cluster health monitoring** - [ ] **Configure alerting for cluster membership changes** - [ ] **Log all grain placement decisions** ### **4.2 Access Control** - [ ] **Implement server authentication** (optional) - [ ] **Add grain-level authorization** (if needed) - [ ] **Set up audit logging** for sensitive operations ## **Phase 5: Advanced Security (Optional)** 🔐 ### **5.1 TLS/SSL Encryption** - [ ] **Generate SSL certificates** for Orleans communication - [ ] **Configure TLS in Orleans:** ```csharp .Configure(options => { options.UseTls = true; options.TlsCertificate = "path/to/certificate.pfx"; }) ``` - [ ] **Set up certificate rotation** process ### **5.2 Container Security (if using Docker)** - [ ] **Use non-root users** in containers - [ ] **Scan container images** for vulnerabilities - [ ] **Implement container network policies** - [ ] **Use secrets management** for sensitive data ## **Phase 6: Testing & Validation** ✅ ### **6.1 Security Testing** - [ ] **Test cluster connectivity** between servers - [ ] **Verify firewall rules** are working correctly - [ ] **Test failover scenarios** (server disconnection) - [ ] **Validate grain placement** is working correctly - [ ] **Test database connection security** ### **6.2 Performance Testing** - [ ] **Load test** the cluster with both server types - [ ] **Monitor network latency** between servers - [ ] **Test grain migration** between servers - [ ] **Validate load balancing** is working ## **Phase 7: Documentation & Maintenance** 📚 ### **7.1 Documentation** - [ ] **Document network architecture** - [ ] **Create security runbook** - [ ] **Document troubleshooting procedures** - [ ] **Create incident response plan** ### **7.2 Ongoing Maintenance** - [ ] **Set up regular security audits** - [ ] **Schedule password rotation** - [ ] **Monitor security logs** - [ ] **Update Orleans and dependencies** regularly - [ ] **Review and update firewall rules** ## **Priority Levels** 🎯 - **🔴 Critical (Do First):** Network configuration, firewall rules, database security - **🟡 Important (Do Second):** Orleans configuration updates, monitoring - **🟢 Optional (Do Later):** TLS encryption, advanced access control ## **Estimated Timeline** ⏱️ - **Phase 1-2:** 1-2 days (Network + Orleans config) - **Phase 3:** 1 day (Database security) - **Phase 4:** 1 day (Application security) - **Phase 5:** 2-3 days (Advanced security) - **Phase 6:** 1-2 days (Testing) - **Phase 7:** Ongoing (Documentation & maintenance) **Total: 6-9 days for complete implementation** --- **Note:** Start with Phases 1-3 for basic security, then add advanced features as needed. The most critical items are network isolation and database security.