Active support for T0/T1

[helendduncan]

✅ Checklist

• I have searched open and closed issues for duplicates.
• This is a request for a new feature in the Data Safe Haven or an upgrade to an existing feature.
• The feature is still missing in the latest version.
• I have read through the documentation.
• This isn't an open-ended question (open a discussion if it is).

🍓 Suggested change

The current SREs cannot support T0/T1 RE internet access

🚂 How could this be done?

[JimMadge]

We do document these tiers here.

The only technical difference is that outbound internet from the workspaces is allowed.
The change should then be,

• Add config option for outbound internet
• Add template for T0/1
• Use that config value to modify NSG rules (presumably) for workspaces (and firewall rules?).

@jemrobinson Any tips on how the network configuration needs to be changed?

[jemrobinson]

The shm-$NAME-sre-$NAME-nsg-workspaces NSG group needs a rule that allows outbound internet access (I think there's already a rule that allows TCP outbound for configuration?).

We then need to add a rule to the firewall which is "allow" for "*". I'll let you decide whether it's easier to only add this rule for environments that allow outgoing internet access or to make it a rule that's always there but flips between allow/deny depending on this setting (note if you pick the second option you'll have to choose the priority carefully so it doesn't block things we want to allow).

Good catch @helendduncan !