Page Comparison

All incoming requests from the Internet arrive via AWS Elastic Load Balancer (ELB) services. The ELB service is unique per environment. Amazon ensures that the AWS ELB service is redundant and fault-tolerant.

Tidepool also uses the AWS NAT Gateway Service to allow internal instances to reach out to the Internet, for example to reach out for time updates (via NTP), but does not allow outside traffic in. The NAT Gateway also provides automatic fault tolerance.

Only strictly necessary ports are configured:

• Ports 80 (http) and 443 (https) on app instances

• Port 123 Network Time Protocol (NTP) on all instances

• HTTP port 80 is open on the public tidepool.org web sites, but only as a re-direct to HTTPS port 443. .service instances or clusters

• Tidepool does not provide any web services over port 80/HTTP and is not required for operations, port 80 redirects are provided as a convenience.

• Our end-user and clinic application site, app.tidepool.org, and our api endpoint (api.tidepool.org) only uses HTTPS port 443 (https). HTTP port 80 automatically redirects (via 301 Permanent Redirect) to the same page on HTTPS over port 443at 443 (https).

• Internal servers clusters with no public-facing ports use self-signed certificates so that all data communication is encrypted to encrypt data in transit at all times .Access to kubernetes nodes for administration is provided via the Kubernetes proxy, which requires either AWS IAM credentials or Google Group membership and OIDC authentication to Google SSO. Both access methods require multi-factor authenticationvia a service mesh.