DE.CM-1: Network monitoring

Requirement

Firewalls shall be installed and operated on the network boundaries and completed with firewall protection on the endpoints.

Guidance

• Endpoints include desktops, laptops, servers...
• Consider, where feasible, including smartphones and other networked devices when installing and operating firewalls
• Consider limiting the number of interconnection gateways to the Internet

Our Implementation

Network monitoring is delegated to the 11 cloud providers that constitute the organisation's infrastructure. Each provider operates its own network monitoring, intrusion detection, and firewall management:

• Edge protection: Vercel and Cloudflare provide DDoS mitigation, rate limiting, and edge-level traffic analysis with real-time monitoring dashboards
• Database monitoring: Supabase, Turso, Qdrant, and Upstash monitor network access to database services, with connections restricted to application-layer traffic only
• Compute monitoring: Modal and Trigger.dev monitor serverless workload network activity within their isolated execution environments
• Infrastructure monitoring: AWS and GCP provide VPC flow logs and network monitoring for underlying infrastructure
• Uptime monitoring: Better Stack monitors endpoint availability across production services with automated alerting and a public status page for customers
• Centralised alerting: Data errors, uptime alerts, and application errors are routed to dedicated Slack channels with mobile notifications enabled for all developers

Firewall rules are managed and auto-updated by each cloud provider as part of their managed service offering. No self-managed firewalls or network appliances are operated.

Gaps / Planned improvements:

• No centralised network monitoring dashboard aggregating data across all 11 providers (NEX-368)
• Endpoint firewall policy under development (NEX-355) — mitigated by cloud-native architecture and provider-level network controls

Evidence

• Cloud Infrastructure

Cross-references