WDC Infrastructure Architecture Overview
wdc.us.gl3 + cloud.us | All Servers | Rocky Linux 8.10 | VMware ESXi 6.7 + GCP | CIS Controls v8
Classification: CONFIDENTIAL — Internal Use Only
This document is the master reference for the complete WDC + GCP cloud infrastructure.
For deployment instructions see the server-specific guides below.
| Guide |
Servers |
Document |
| DNS/DHCP Infrastructure |
SKY + RAIN |
sky-rain-dns-dhcp-infrastructure.md |
| Monitoring & Logging |
SUN + WIND |
sun-wind-monitoring-logging.md |
| GCP Cloud VMs |
OAK + MAPLE + CEDAR |
oak-maple-cedar-cloud-servers.md |
| Architecture Overview |
All seven servers |
This document |
1. Seven-Server Infrastructure Summary
WDC On-Premises (VMware ESXi)
| Server |
Hostname |
Production IP |
Management IP |
Role |
| SKY |
sky.wdc.us.gl3 |
192.168.120.1 |
192.168.124.1 |
Primary DNS + DHCP |
| RAIN |
rain.wdc.us.gl3 |
192.168.120.2 |
192.168.124.2 |
Secondary DNS + DHCP |
| SUN |
sun.wdc.us.gl3 |
192.168.120.3 |
192.168.124.3 |
Prometheus + Grafana |
| WIND |
wind.wdc.us.gl3 |
192.168.120.4 |
192.168.124.4 |
Elasticsearch + Logstash + Kibana |
GCP Cloud (us-central1-a)
| Server |
Hostname |
IP |
Machine Type |
Role |
| OAK |
oak.cloud.us |
172.16.0.10 |
n2-standard-2 |
Security Scanner (OpenVAS) |
| MAPLE |
maple.cloud.us |
172.16.0.12 |
e2-standard-2 |
Cloud Monitoring (Prometheus + Grafana + Wazuh) |
| CEDAR |
cedar.cloud.us |
172.16.0.13 |
e2-standard-4 |
Cloud Logging (ELK + Wazuh Indexer) |
All servers — identical hardware:
| Parameter |
Value |
| vCPU |
4 |
| RAM |
8 GB |
| Disk 1 — sda (OS) |
200 GB Thin Provision VMDK |
| Disk 2 — sdb (Data) |
300 GB Thin Provision VMDK |
| Total per server |
500 GB |
| Total ESXi allocation |
2 TB (thin provisioned) |
| Hypervisor |
VMware ESXi 6.7 |
| OS |
Rocky Linux 8.10 |
| NIC 1 |
VMXNET3 — Production (192.168.120.0/23) |
| NIC 2 |
VMXNET3 — Management (192.168.124.0/24) |
2. Network Topology
┌─────────────────────────────────────────────────────────────────────┐
│ VMware ESXi 6.7 Host │
│ │
│ ┌────────────────┐ ┌────────────────┐ ┌──────────┐ ┌────────┐ │
│ │ SKY │ │ RAIN │ │ SUN │ │ WIND │ │
│ │ 192.168.120.1 │ │ 192.168.120.2 │ │ .120.3 │ │ .120.4 │ │
│ │ Primary DNS │ │ Secondary DNS │ │Prometheus│ │ ELK │ │
│ │ Primary DHCP │ │ Secondary DHCP │ │ Grafana │ │ Stack │ │
│ └───────┬────────┘ └───────┬────────┘ └────┬─────┘ └───┬────┘ │
│ │ │ │ │ │
│ ════════╪═══════════════════╪════════════════╪════════════╪═══════ │
│ Production vSwitch — 192.168.120.0/23 │
│ ════════════════════════════════════════════════════════════════════│
│ Management vSwitch — 192.168.124.0/24 │
│ ════════════════════════════════════════════════════════════════════│
└─────────────────────────────────────────────────────────────────────┘
│
192.168.120.254
Gateway
│
┌───────────┴───────────┐
│ │
10.1.96.2 1.1.1.1 / 8.8.8.8
Internal Forwarder Internet DNS
(cloud.us.gl3, us.gl3) (root/public)
3. Service Architecture — All Traffic Flows
3.1 DNS Resolution Flow
Client Query
│
▼
┌─────────────────────────────────────────────────┐
│ SKY — Primary Authoritative DNS │
│ 192.168.120.1:53 │
│ │
│ Zones: │
│ wdc.us.gl3 — Authoritative │
│ 120.168.192.in-addr — Reverse zone │
│ 122.168.192.in-addr — Reverse zone │
│ cloud.us.gl3 — Forward → 10.1.96.2 │
│ us.gl3 — Forward → 10.1.96.2 │
│ . (root) — Forward → 1.1.1.1 │
│ │
│ DNSSEC: Zone signed with ZSK + KSK │
└────────────────────┬────────────────────────────┘
│ Zone Transfer (AXFR/IXFR)
│ Notify on change
▼
┌─────────────────────────────────────────────────┐
│ RAIN — Secondary Authoritative DNS │
│ 192.168.120.2:53 │
│ │
│ Zones: Slave copy of all SKY zones │
│ DNSSEC: Validates signatures from SKY │
│ Failover: Auto-assumes all queries if SKY down │
└─────────────────────────────────────────────────┘
3.2 DHCP Failover Flow
Client DHCPDISCOVER
│
├──────────────────────────────┐
▼ ▼
┌──────────────────┐ ┌──────────────────────┐
│ SKY — dhcpd │ │ RAIN — dhcpd │
│ PRIMARY role │◄────►│ SECONDARY role │
│ 192.168.120.1 │ │ 192.168.120.2 │
│ │ port │ │
│ Pools: │ 647 │ Pools: │
│ 121.0–121.200 │ │ 121.0–121.200 │
│ 122.101–122.240 │ │ 122.101–122.240 │
└──────────────────┘ └──────────────────────┘
│ failover peer sync (TCP 647)
│ state: normal / communications-interrupted
│ / partner-down
Lease DB: /var/lib/dhcpd/dhcpd.leases (both servers)
DHCP failover detection: < 30 seconds
3.3 Monitoring Flow — Prometheus / Grafana (SUN)
SUN — Prometheus (192.168.120.3:9090)
scrapes every 15 seconds:
│
├──► SKY:9100 (node_exporter) — CPU, mem, disk, net
├──► SKY:9119 (bind_exporter) — DNS queries/sec, zone transfers, errors
├──► RAIN:9100 (node_exporter) — CPU, mem, disk, net
├──► RAIN:9119 (bind_exporter) — DNS queries/sec, zone transfers, errors
└──► localhost:9100 (self) — SUN OS metrics
▼
SUN — Grafana (192.168.120.3:3000)
Dashboards:
ID 1860 — Node Exporter Full (OS metrics — all targets)
ID 13955 — BIND DNS Exporter (query rates, DNSSEC, zone transfers)
Alerts:
Scrape target down > 2 min → P1 alert
Disk > 80% on any server → P2 alert
DNS query rate spike → P3 alert
BIND zone transfer fail → P2 alert
3.4 Log Collection Flow — ELK Stack (WIND)
SKY — rsyslog ──► /etc/rsyslog.d/50-forward-wind.conf
Queue: 10,000 msgs, persistent on shutdown
│
├─────────────────────────┐
│ │
RAIN — rsyslog ──► /etc/rsyslog.d/50-forward-wind.conf
│ │
└──────────┬──────────────┘
│ TCP :5140
▼
WIND — Logstash (192.168.120.4:5140)
│
│ Parse → Tag → Route
▼
WIND — Elasticsearch (localhost:9200)
│
Indices (daily rotation, 90-day retention):
├── wdc-logs-YYYY.MM.DD (all logs)
├── dns-logs-YYYY.MM.DD (named)
├── dhcp-leases-YYYY.MM.DD (dhcpd — CIS 1.3)
├── auth-logs-YYYY.MM.DD (sshd/sudo — CIS 5.2)
└── firewall-drops-YYYY.MM.DD (iptables — CIS 12.1)
│
▼
WIND — Kibana (192.168.120.4:5601)
Dashboards, searches, alerts
3.5 Management Access Flow
Admin Workstation (192.168.124.x)
│
├──► SSH :22 → SKY (192.168.124.1)
├──► SSH :22 → RAIN (192.168.124.2)
├──► SSH :22 → SUN (192.168.124.3)
├──► SSH :22 → WIND (192.168.124.4)
│
├──► Webmin :10000 → SKY (https://192.168.124.1:10000)
├──► Webmin :10000 → RAIN (https://192.168.124.2:10000)
├──► Webmin :10000 → SUN (https://192.168.124.3:10000)
├──► Webmin :10000 → WIND (https://192.168.124.4:10000)
│
├──► Prometheus :9090 → SUN (http://192.168.124.3:9090)
├──► Grafana :3000 → SUN (http://192.168.124.3:3000)
└──► Kibana :5601 → WIND (http://192.168.124.4:5601)
All management ports are restricted to 192.168.124.0/24 by firewalld.
No management access is permitted from the production 192.168.120.0/23 network.
4. Network Segmentation & Firewall Summary
CIS Controls: CIS 4.4 · CIS 12.1 · CIS 12.4
4.1 Production Network — 192.168.120.0/23
| Source |
Destination |
Port |
Protocol |
Purpose |
| Any client |
SKY, RAIN |
53 |
TCP/UDP |
DNS queries |
| Any client |
SKY, RAIN |
67/68 |
UDP |
DHCP |
| SKY |
RAIN |
953 |
TCP |
rndc zone notify |
| SKY |
RAIN |
53 |
TCP |
Zone transfers (AXFR/IXFR) |
| SKY |
RAIN |
647 |
TCP |
DHCP failover sync |
| SUN |
SKY, RAIN |
9100 |
TCP |
node_exporter scrape |
| SUN |
SKY, RAIN |
9119 |
TCP |
bind_exporter scrape |
| SKY, RAIN |
WIND |
5140 |
TCP |
rsyslog forwarding |
4.2 Management Network — 192.168.124.0/24
| Destination |
Port |
Service |
Restricted To |
| All four servers |
22 |
SSH |
192.168.124.0/24 |
| All four servers |
10000 |
Webmin (HTTPS) |
192.168.124.0/24 |
| SUN |
9090 |
Prometheus UI |
192.168.124.0/24 |
| SUN |
3000 |
Grafana |
192.168.124.0/24 |
| WIND |
5601 |
Kibana |
192.168.124.0/24 |
4.3 Firewall Default Policy — All Servers
All four servers use firewalld with default zone = drop.
All traffic is denied unless explicitly permitted by a rich-rule above.
IPv6 is fully disabled at the kernel level (sysctl net.ipv6.conf.all.disable_ipv6=1).
5. Disk Layout — All Four Servers
All servers share the same sda (OS) layout. sdb (Data) is role-specific.
5.1 sda — OS Disk (200 GB, identical on all four servers)
╔══════════════════════════════════════════════╗
║ sda — 200 GB VG: rl (System) ║
╠══════════════════════════════════════════════╣
║ sda1 /boot/efi 600 MB vfat ║
║ sda2 /boot 1 GB xfs ║
║ rl-root / 50 GB nodev,nosuid ║
║ rl-tmp /tmp 10 GB nodev,nosuid,noexec ║
║ rl-vartmp /var/tmp 5 GB nodev,nosuid,noexec ║
║ rl-var /var 25 GB nodev ║
║ rl-home /home 10 GB nodev,nosuid ║
║ rl-swap swap 8 GB ║
║ FREE ~90 GB Expansion ║
╚══════════════════════════════════════════════╝
5.2 sdb — Data Disk (300 GB, role-specific per server)
╔══════════════════════════╦══════════════════════════════════════════╗
║ SKY & RAIN (DNS/DHCP) ║ SUN (Monitoring) ║
╠══════════════════════════╬══════════════════════════════════════════╣
║ /var/log 40 GB ║ /var/log 30 GB ║
║ /var/log/audit 30 GB ║ /var/log/audit 20 GB ║
║ /var/named 30 GB ║ /var/lib/prometheus 180 GB ║
║ /var/lib/dhcpd 15 GB ║ /backup 40 GB ║
║ /backup 80 GB ║ FREE ~30 GB ║
║ FREE ~105 GB ║ ║
╠══════════════════════════╬══════════════════════════════════════════╣
║ WIND (Logging) ║ All sdb volumes in VG: data ║
╠══════════════════════════╣ sdb device ONLY — sda excluded ║
║ /var/log 30 GB ║ ║
║ /var/log/audit 20 GB ║ CIS 8.3: Dedicated log partitions ║
║ /var/lib/elasticsearch ║ prevent OS from crashing if disk fills ║
║ 180 GB ║ ║
║ /var/lib/logstash ║ CIS 3.11: Sensitive data at rest ║
║ 30 GB ║ protected by partition isolation ║
║ /backup 30 GB ║ ║
║ FREE ~10 GB ║ ║
╚══════════════════════════╩══════════════════════════════════════════╝
6. CIS Controls Implementation — Full Infrastructure
| CIS Control |
Control Name |
SKY/RAIN Implementation |
SUN/WIND Implementation |
| CIS 1.1 |
Asset Inventory |
DHCP lease tracking, DNS records for all 4 servers |
Kibana dhcp-leases-* index; Prometheus asset labels |
| CIS 1.2 |
Software Inventory |
Minimal RPM install, dnf history |
Minimal RPM install, dnf history |
| CIS 2.2 |
Authorized Software |
Server base only, no GUI, no unnecessary packages |
Server base only; only ELK/Prometheus packages |
| CIS 3.11 |
Data Encryption |
DNSSEC zone signing, Webmin TLS |
Webmin TLS, management network restriction |
| CIS 3.14 |
Sensitive Data |
DNSSEC private keys chmod 600; backup encrypted |
Elasticsearch at-rest on dedicated partition |
| CIS 4.1 |
Secure Configuration |
CIS Benchmark Rocky Linux 8; named/dhcpd hardening |
CIS Benchmark Rocky Linux 8; service hardening |
| CIS 4.4 |
Firewall |
firewalld drop zone; DNS/DHCP only |
firewalld drop zone; management only |
| CIS 5.1 |
Account Inventory |
dnsadmin only; service accounts nologin |
monitadmin only; service accounts nologin |
| CIS 5.2 |
Privileged Access |
sudo with logging; SSH no root |
sudo with logging; SSH no root |
| CIS 5.4 |
Password Policy |
14-char min, 90-day max, lockout after 5 |
14-char min, 90-day max, lockout after 5 |
| CIS 6.1 |
Access Control |
SELinux enforcing; BIND chroot |
SELinux enforcing; service isolation |
| CIS 7.1 |
Vulnerability Mgmt |
dnf-automatic security updates |
dnf-automatic security updates |
| CIS 8.2 |
Audit Log Mgmt |
auditd with DNS/DHCP rules; rsyslog → WIND |
auditd; Elasticsearch 90-day retention |
| CIS 8.3 |
Log Storage |
Dedicated /var/log on sdb |
Dedicated /var/log and /var/lib/elasticsearch on sdb |
| CIS 8.5 |
Log Analysis |
Kibana dashboards on WIND |
Kibana dashboards; Grafana panels |
| CIS 8.9 |
Centralized Logging |
rsyslog → WIND:5140 |
Logstash pipeline; Elasticsearch indexing |
| CIS 10.1 |
Malware Defenses |
AIDE daily integrity check |
AIDE daily integrity check |
| CIS 11.1 |
Data Recovery |
Daily cron backup to /backup; ESXi snapshots |
Daily cron backup to /backup; ESXi snapshots |
| CIS 11.2 |
Automated Backup |
/etc/cron.daily/dns-dhcp-backup |
/etc/cron.daily/mon-backup + log-backup |
| CIS 12.1 |
Network Defense |
firewalld drop default; rich rules only |
firewalld drop default; rich rules only |
| CIS 12.4 |
Network Topology |
Dual NIC (prod/mgmt); DNS zone segregation |
Dual NIC (prod/mgmt) |
| CIS 13.1 |
Network Monitoring |
node_exporter + bind_exporter on SKY/RAIN |
Prometheus scrape; Grafana dashboards |
| CIS 13.4 |
Alert Management |
Grafana alert rules on SUN |
Grafana alert rules; Kibana alerts |
| CIS 16.7 |
App Security |
Webmin TLS; management-only access |
Webmin TLS; Grafana auth; Kibana on mgmt network |
| CIS 17.1 |
IR Designation |
DNS Admin + Security Ops |
Monitoring Admin + Security Ops |
| CIS 17.7 |
IR Exercises |
Quarterly failover + DR drills |
Quarterly snapshot + pipeline tests |
| CIS 17.9 |
IR Thresholds |
P1–P4 severity matrix; RTO/RPO defined |
P1–P4 severity matrix; RTO/RPO defined |
7. Service Access Quick Reference
All URLs below are accessible from the management network (192.168.124.0/24) only.
| Service |
URL |
Server |
Credentials |
| SKY Webmin |
https://192.168.124.1:10000 |
SKY |
dnsadmin |
| RAIN Webmin |
https://192.168.124.2:10000 |
RAIN |
dnsadmin |
| SUN Webmin |
https://192.168.124.3:10000 |
SUN |
monitadmin |
| WIND Webmin |
https://192.168.124.4:10000 |
WIND |
monitadmin |
| Prometheus UI |
http://192.168.124.3:9090 |
SUN |
None (network-restricted) |
| Grafana |
http://192.168.124.3:3000 |
SUN |
grafana_admin |
| Kibana |
http://192.168.124.4:5601 |
WIND |
None (network-restricted) |
8. Backup Summary — All Four Servers
| Server |
Backup Script |
Archive Path |
Retention |
Key Contents |
| SKY |
/etc/cron.daily/dns-dhcp-backup |
/backup/dns-dhcp/ |
30 days |
named.conf, zones, DNSSEC keys, dhcpd.conf, leases, AIDE db |
| RAIN |
/etc/cron.daily/dns-dhcp-backup |
/backup/dns-dhcp/ |
30 days |
Same as SKY (independent copy) |
| SUN |
/etc/cron.daily/mon-backup |
/backup/monitoring/ |
30 days |
prometheus.yml, grafana.ini, Webmin config, AIDE db |
| WIND |
/etc/cron.daily/log-backup |
/backup/logging/ |
30 days |
Logstash pipeline, elasticsearch.yml, kibana.yml, Kibana saved objects, AIDE db |
ESXi Snapshots — daily (7-day retention) + weekly (4-week) + monthly (12-month) — all four VMs.
Offsite copies — weekly snapshots copied to remote NFS backup store.
9. Recovery Objectives — Full Infrastructure
| Server |
RTO (snapshot) |
RTO (config restore) |
RTO (full rebuild) |
RPO |
| SKY |
< 5 min (RAIN auto-assumes) |
< 30 min |
< 4 hours |
24 hours |
| RAIN |
< 30 min |
< 1 hour |
< 4 hours |
24 hours |
| SUN |
< 30 min |
< 1 hour |
< 3 hours |
24 hours (config) / 0 (metrics survive restart) |
| WIND |
< 30 min |
< 1 hour |
< 4 hours |
24 hours (config) / 0–15 min (log queue) |
Critical dependency chain for DNS/DHCP services:
Client DNS/DHCP ──► SKY or RAIN (independent of SUN and WIND)
SKY and RAIN operate independently if SUN/WIND are down
SUN and WIND failure = loss of visibility, NOT loss of DNS/DHCP
10. DNS Records — Full Infrastructure
All four servers are registered in the wdc.us.gl3 zone on SKY and replicated to RAIN.
Forward Zone Records (/var/named/wdc.us.gl3.db)
; DNS/DHCP Infrastructure
sky IN A 192.168.120.1
rain IN A 192.168.120.2
; Monitoring and Logging
sun IN A 192.168.120.3
wind IN A 192.168.120.4
; Gateway
gw IN A 192.168.120.254
Reverse Zone Records (/var/named/192.168.120.0.rev)
1 IN PTR sky.wdc.us.gl3.
2 IN PTR rain.wdc.us.gl3.
3 IN PTR sun.wdc.us.gl3.
4 IN PTR wind.wdc.us.gl3.
254 IN PTR gw.wdc.us.gl3.
Verify All Records Resolve
# Run from any host in the 192.168.120.0/23 network
for host in sky rain sun wind gw; do
ip=$(dig @192.168.120.1 ${host}.wdc.us.gl3 A +short)
ptr=$(dig @192.168.120.1 -x ${ip} +short)
printf "%-6s → %-18s → %s\n" "$host" "$ip" "$ptr"
done
# Expected output:
# sky → 192.168.120.1 → sky.wdc.us.gl3.
# rain → 192.168.120.2 → rain.wdc.us.gl3.
# sun → 192.168.120.3 → sun.wdc.us.gl3.
# wind → 192.168.120.4 → wind.wdc.us.gl3.
# gw → 192.168.120.254 → gw.wdc.us.gl3.
| Role |
Scope |
Contact Method |
| DNS/DHCP Admin |
SKY, RAIN — all DNS/DHCP incidents |
On-call phone + SSH / Webmin |
| Monitoring/Logging Admin |
SUN, WIND — all monitoring/logging incidents |
On-call phone + SSH / Webmin |
| Security Operations |
All four servers — threat analysis, containment |
SOC hotline |
| Network Operations |
ESXi vSwitch, firewall, routing |
NOC hotline |
| IT Manager |
P1/P2 escalation on any server |
Phone |
| Backup Admin |
Snapshots and archive restores — all servers |
On-call phone |
P1 Decision Tree — Which Server Is Down?
Alert fires
│
├── DNS resolution failing?
│ │
│ ├── SKY down → RAIN auto-assumes → Rebuild SKY (see SKY/RAIN guide §18)
│ ├── RAIN down → SKY continues → Rebuild RAIN (see SKY/RAIN guide §18)
│ └── Both down → Emergency /etc/hosts fallback → Rebuild both
│
├── Metrics not updating in Grafana?
│ │
│ └── SUN down → No DNS/DHCP impact → Rebuild SUN (see SUN/WIND guide §18)
│
└── Logs not appearing in Kibana?
│
└── WIND down → rsyslog queues on SKY/RAIN → Rebuild WIND (see SUN/WIND guide §18)
→ Note: SKY/RAIN DNS/DHCP unaffected; log gap exists
12. DR Testing Schedule — Full Infrastructure
| Test |
Servers |
Frequency |
Owner |
| SKY failover to RAIN |
SKY, RAIN |
Quarterly |
DNS Admin |
| RAIN rebuild from backup |
RAIN |
Quarterly |
DNS/Backup Admin |
| SUN snapshot restore |
SUN |
Monthly |
Monitoring Admin |
| WIND snapshot restore |
WIND |
Monthly |
Monitoring/Backup Admin |
| End-to-end pipeline test |
All four |
Monthly |
Monitoring Admin |
| Full four-server DR drill |
All four |
Annually |
IT Manager + Full Team |
| Backup archive verification |
All four |
Weekly |
Backup Admin |
| CIS compliance check (all) |
All four |
Monthly |
Security Ops |
13. GCP Cloud Extension
The WDC infrastructure is extended into Google Cloud Platform via a site-to-site IPSec VPN tunnel. Three GCP VMs provide cloud-native security scanning, monitoring, and logging that complement the on-prem WDC stack.
13.1 GCP Network Topology
WDC (192.168.120.0/23) GCP VPC (172.16.0.0/24)
us-central1-a
SKY 192.168.120.1 ──────────── OAK 172.16.0.10
RAIN 192.168.120.2 VPN MAPLE 172.16.0.12
SUN 192.168.120.3 AES-256 CEDAR 172.16.0.13
WIND 192.168.120.4 ────────────
WDC VPN peer: 38.140.146.68 (Meraki MX100)
GCP VPN peer: 130.211.194.72
Tunnel: ESTABLISHED · IKEv2 · AES-256-GCM
13.2 Cross-Site Data Flows
| Flow |
Source |
Destination |
Protocol |
| Prometheus scrape |
MAPLE:9090 |
SKY/RAIN/SUN/WIND:9100 |
HTTP over VPN |
| Prometheus scrape |
MAPLE:9090 |
OAK/CEDAR:9100 |
HTTP (VPC) |
| Log forwarding |
SKY/RAIN/SUN/WIND |
CEDAR:5140 |
rsyslog TCP over VPN |
| Log forwarding |
OAK/MAPLE |
CEDAR:5140 |
rsyslog TCP (VPC) |
| Wazuh agents |
SKY/RAIN/SUN/WIND |
MAPLE:1514 |
TCP over VPN |
| Wazuh agents |
OAK/CEDAR |
MAPLE:1514 |
TCP (VPC) |
| OpenVAS scans |
OAK |
All 7 servers |
ICMP/TCP over VPN |
| GCS backups |
All 7 servers |
gs://gpus-infra-backups-wdc |
HTTPS |
| SSH admin |
Mac (192.168.124.x) |
OAK/MAPLE/CEDAR:22 |
SSH over VPN |
13.3 GCP VM Baseline
All GCP VMs follow the SKY baseline: Rocky Linux 8.10, CIS hardened, 50GB boot + 50GB data pd-ssd, AIDE + auditd (-e 2) + Fail2ban + SELinux enforcing + firewalld default-drop. Admin: cloudadmin. See oak-maple-cedar-cloud-servers.md for full deployment guide.
13.4 Cloud Run Services
| Service |
URL |
Purpose |
| MkDocs Portal |
https://infra.greenpeace.us |
Infrastructure documentation |
| Status Site |
https://status.greenpeace.us |
Infrastructure operations dashboard |
| Security Site |
https://security.greenpeace.us |
301 → soc.greenpeace.us (redirect-only nginx container — see §13.5) |
| SOC Site |
https://soc.greenpeace.us |
Consolidated SOC dashboard (13 tabs — all security monitoring) |
13.5 Security Site Redirect — security.greenpeace.us → soc.greenpeace.us
As of commit 26e08c5 (2026-04-17), security.greenpeace.us no longer serves an independent security site. All security content has been consolidated into the SOC dashboard at soc.greenpeace.us, and the legacy security-site Cloud Run service has been replaced with a minimal nginx redirect container that returns HTTP 301 Moved Permanently to https://soc.greenpeace.us for every request path.
| Item |
Detail |
| Source URL |
https://security.greenpeace.us/* |
| Target URL |
https://soc.greenpeace.us |
| Redirect status |
301 Moved Permanently |
| Cloud Run service |
security-site (region us-central1) |
| Container |
nginx with single return 301 https://soc.greenpeace.us$request_uri; rule |
| Replaced by |
SOC dashboard (13 tabs) at soc.greenpeace.us |
| Commit |
26e08c5 |
The Cloud Run service is retained (rather than deleted) so that the existing custom domain mapping, SSL certificate, and any external bookmarks or documentation references continue to resolve. Inbound traffic is logged in the security-site Cloud Run revision logs but no longer touches the legacy Flask backend.
Client request to https://security.greenpeace.us/<anything>
│
▼
Cloud Run: security-site (nginx redirect)
│
└──► HTTP 301 → https://soc.greenpeace.us/<anything>
│
▼
Cloud Run: soc-site (SOC dashboard, 13 tabs)
Operational implications:
- Any saved bookmark, link in an old report, or external reference to
security.greenpeace.us automatically lands users on the SOC dashboard with no manual intervention.
- New documentation, alerts, and reports must reference
soc.greenpeace.us directly. Do not author new content under the security.greenpeace.us URL — the Cloud Run service is redirect-only and cannot serve pages.
- DNS, SSL, and IAM configuration for the
security-site Cloud Run service is unchanged; only the container image (now nginx) and the request-handling behavior changed.
14. DR Testing Schedule — Full Infrastructure (7 Servers)
| Test |
Servers |
Frequency |
Owner |
| SKY failover to RAIN |
SKY, RAIN |
Quarterly |
DNS Admin |
| RAIN rebuild from backup |
RAIN |
Quarterly |
DNS/Backup Admin |
| SUN snapshot restore |
SUN |
Monthly |
Monitoring Admin |
| WIND snapshot restore |
WIND |
Monthly |
Monitoring/Backup Admin |
| OAK/MAPLE/CEDAR GCS restore |
OAK, MAPLE, CEDAR |
Quarterly |
IT Admin |
| End-to-end pipeline test |
All seven |
Monthly |
Monitoring Admin |
| Full seven-server DR drill |
All seven |
Annually |
Director of Cyber Security + Full Team |
| Backup archive verification |
All seven |
Weekly |
Backup Admin |
| CIS compliance check (all) |
All seven |
Monthly |
Security Ops |
WDC Infrastructure Architecture Overview · v1.9 · 2026-04-17 · GPUS-IT · Classification: CONFIDENTIAL — Internal Use Only