You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -60,8 +60,8 @@ Chaos Studio has the following operations:
60
60
| Microsoft.Chaos/experiments/[Read,Write,Delete]| Get, create, update, or delete a chaos experiment. |
61
61
| Microsoft.Chaos/experiments/start/action | Start a chaos experiment. |
62
62
| Microsoft.Chaos/experiments/cancel/action | Stop a chaos experiment. |
63
-
| Microsoft.Chaos/experiments/statuses/Read | Get the execution status for a run of a chaos experiment. |
64
-
| Microsoft.Chaos/experiments/executionDetails/Read| Get the execution details (status and errors for each action) for a run of a chaos experiment. |
63
+
| Microsoft.Chaos/experiments/executions/Read | Get the execution status for a run of a chaos experiment. |
64
+
| Microsoft.Chaos/experiments/getExecutionDetails/action| Get the execution details (status and errors for each action) for a run of a chaos experiment. |
65
65
66
66
To assign these permissions granularly, you can [create a custom role](../role-based-access-control/custom-roles.md).
67
67
@@ -77,12 +77,25 @@ All user interactions with Chaos Studio happen through Azure Resource Manager. I
77
77
***Agent-based private networking**: The Chaos Studio agent now supports private networking. Please see [Private networking for Chaos Agent](chaos-studio-private-link-agent-service.md).
78
78
79
79
## Service tags
80
-
A [service tag](../virtual-network/service-tags-overview.md) is a group of IP address prefixes that can be assigned to inbound and outbound rules for network security groups. It automatically handles updates to the group of IP address prefixes without any intervention.
80
+
A [service tag](../virtual-network/service-tags-overview.md) is a group of IP address prefixes that can be assigned to inbound and outbound rules for network security groups. It automatically handles updates to the group of IP address prefixes without any intervention. Since service tags primarily enable IP address filtering, service tags alone aren’t sufficient to secure traffic.
81
81
82
82
You can use service tags to explicitly allow inbound traffic from Chaos Studio without the need to know the IP addresses of the platform. Chaos Studio's service tag is `ChaosStudio`.
83
83
84
84
A limitation of service tags is that they can only be used with applications that have a public IP address. If a resource only has a private IP address, service tags can't route traffic to it.
85
85
86
+
### Use cases
87
+
Chaos Studio uses Service Tags for several use cases.
88
+
89
+
* To use [agent-based faults](chaos-studio-fault-library.md#agent-based-faults), the Chaos Studio agent running inside customer virtual machines must communicate with the Chaos Studio backend service. The Service Tag lets customers allow-list the traffic from the virtual machine to the Chaos Studio service.
90
+
* To use certain faults that require communication outside the `management.azure.com` namespace, like [Chaos Mesh faults](chaos-studio-fault-library.md#azure-kubernetes-service) for Azure Kubernetes Service, traffic comes from the Chaos Studio service to the customer resource. The Service Tag lets customers allow-list the traffic from the Chaos Studio service to the targeted resource.
91
+
* Customers can use other Service Tags as part of the Network Security Group Rules fault to affect traffic to/from certain Azure services.
92
+
93
+
By specifying the `ChaosStudio` Service Tag in security rules, traffic can be allowed or denied for the Chaos Studio service without the need to specify individual IP addresses.
94
+
95
+
### Security considerations
96
+
97
+
When evaluating and using service tags, it’s important to note that they don’t provide granular control over individual IP addresses and shouldn’t be relied on as the sole method for securing a network. They aren’t a replacement for proper network security measures.
98
+
86
99
## Data encryption
87
100
88
101
Chaos Studio encrypts all data by default. Chaos Studio only accepts input for system properties like managed identity object IDs, experiment/step/branch names, and fault parameters. An example is the network port range to block in a network disconnect fault.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments