Annual Firewall Ruleset Review
Purpose
This document provides the results of the annual firewall ruleset review across all production environments. The review ensures firewall configurations align with organizational security policy, follow the principle of least privilege, and protect production systems from unauthorized access.
Ownership
Responsible Team: Engineering
Primary Reviewer: VP of Engineering - Jacob Ditslear
Secondary Reviewer: Staff Engineer - Kevin Mulcrone
Approver: Chief Operating Officer - Nick Delozier
Frequency & History
This review must be conducted at least annually and whenever significant infrastructure changes are made.
Version History
| Date |
Reviewer |
Summary of Changes |
| YYYY-MM-DD |
NAME |
Initial review |
Review Scope
This review covers all firewall rules and network access controls across the following systems:
- Google Cloud Platform (GCP) — VPC firewall rules, Cloud Armor policies, and IAP configurations for the
onramp-bitcoin-integration and onramp-bitcoin-production projects
- Vercel — Edge network access controls, WAF rules, and deployment protection settings for all Onramp web applications
GCP Firewall Review
VPC Firewall Rules
| Rule Name |
Direction |
Priority |
Source |
Destination |
Ports/Protocol |
Action |
Justification |
Compliant |
|
Ingress |
|
|
|
|
Allow |
|
Yes / No |
|
Egress |
|
|
|
|
Allow |
|
Yes / No |
Cloud Armor Policies
| Policy Name |
Description |
Rules Summary |
Justification |
Compliant |
|
|
|
|
Yes / No |
Identity-Aware Proxy (IAP)
| Resource |
Access Level |
Authorized Members |
Justification |
Compliant |
|
|
|
|
Yes / No |
GCP Findings
Summarize key findings, any rules that are overly permissive, unused, or misconfigured.
GCP Recommendations
| # |
Recommendation |
Priority |
Rationale |
| 1 |
|
|
|
Vercel Firewall Review
Edge Network & WAF Rules
| Rule Name |
Type |
Condition |
Action |
Justification |
Compliant |
|
|
|
|
|
Yes / No |
Deployment Protection
| Setting |
Current Value |
Expected Value |
Compliant |
| Preview Protection |
|
|
Yes / No |
| Production Protection |
|
|
Yes / No |
| Authentication |
|
|
Yes / No |
Vercel Findings
Summarize key findings, any rules that are overly permissive, unused, or misconfigured.
Vercel Recommendations
| # |
Recommendation |
Priority |
Rationale |
| 1 |
|
|
|
Compliance Summary
| Environment |
Total Rules Reviewed |
Compliant |
Non-Compliant |
Recommendations |
| GCP |
|
|
|
|
| Vercel |
|
|
|
|
| Total |
|
|
|
|
Overall Assessment
Provide an overall compliance status (Compliant / Partially Compliant / Non-Compliant) and a brief narrative summarizing the state of firewall controls.
Sign-Off
| Role |
Name |
Date |
Signature |
| Primary Reviewer |
|
|
|
| Secondary Reviewer |
|
|
|
| Approver |
|
|
|