I want to connect with online power BI and create reports using Data gateway connectivity. my Problem is Internet Connectivity. I don't have the internet in the Production environment. Is it possible without the internet?
If it is possible then how?
It is possible with Azure ExpressRoute with Microsoft Peering, but the network configuration is somewhat complex. It's much more common to get a firewall exception for the Gateway VM, or to run the Gateway VM in an Azure VNet and connect back to on-prem data sources through ExpressRoute.
Related
I have an app service (Rest API) in Azure and I am planning on hosting another service that has to be integrated with the Azure app service. Could someone please let me know the preferred way(s) to make sure the communication is on a private secure channel?
According the official Azure Docs, you have three options, I can say that the VPN option will be one of the easiest ones, but you can have problems like limited throughput, unpredictable routing via the public internet, and the cost of the AWS and Azure data transfer fees.
To understand better which option to use you can check this flow chart:
Option 1: Connect Azure ExpressRoute and the other cloud provider's equivalent private connection. The customer manages routing.
Option 2: Connect ExpressRoute and the other cloud provider's equivalent private connection. A cloud exchange provider handles routing.
Option 3: Use Site-to-Site VPN over the internet. For more information, see Connect on-premises networks to Azure by using Site-to-Site VPN gateways.
The options 1 and 2 are the best options to avoid use of the public internet, if you require an SLA, if you want predictable throughput, or need to handle data volume transfer. Consider whether to use a customer-managed routing or a cloud exchange provider if you haven't implemented ExpressRoute already.
In the AWS side, you will be able to configure your VPC, to understand how to do this check here.
For more information about these three options, check here
I looked for in the documentation in the official AWS page to find out what are the differences between Amazon Connect, Amazon Direct Connection, AWS Managed VPN and Amazon Connect . Each time I get the question with this 4 options i am not sure which one should i use. Could anyone give me advice how to easily distinguish how to recognise correct use of this services ?
Amazon Connect
This is very different to either of the other services, it is a service that operates as a Cloud based call centre replacing on-premise software solutions that would have done this in the past.
Amazon Managed VPN
A VPN (otherwise known a virtual private network) allows a connection to be established over the internet to your AWS VPC(s). AWS has 2 versions of this, a site-to-site VPN and a client VPN.
The site-to-site VPN offers a fixed VPN connection between your AWS VPC and an on-premise location. This will require a static IP to maintain the connection, with all traffic routed over the public internet via IPSec and IKE.
The client VPN is similar to the site-to-site but will allow the client connection from anywhere. Using OpenVPN software you establish the connection with AWS which is maintained for as long as the connection is alive. This again uses the internet for all communication.
Direct Connect
With Direct Connect you can maintain a dedicated connection between AWS and your on-premise. This means you will no longer be using the public internet to connect which improves the performance between your on-premise and AWS. It supports both connections to VPC and connections to the public services of AWS (those not in a VPC such as S3 and DynamoDB).
There are a range of network speeds to choose from upto 10GB, to establish this it has specific hardware requirements and will require the hardware to be hosted at a authorized site. Alternatively you can use a hosted connection from a partner who will provide this hardware for you.
My organization has an AWS presence, but no VPN nor Direct Connect to and from our on-premises data center. We would still like to leverage DynamoDB in the short-term without having DirectConnect or a VPN connection in place. We will not be using any EC2 instances for our web services. Is it possible for an on--prem host to talk to DynamoDB without any AWS networking infrastructure in place....basically a call direct to the DynamoDB service without VPN or Direct Connect?
All you need is an Internet connection to access DynamoDB. Your on-premis servers will need to have access to make calls to the AWS API, which is publicly accessible over the Internet.
You can use an VPC endpoint gateway to connect your server to Dynamo Db using amazon network
https://docs.aws.amazon.com/it_it/vpc/latest/privatelink/vpc-endpoints.html
I am trying to connect GCP VPN from my local work station (windows 8.1).
On GCP, I have created Route Based VPN and VPN tunnel as google cloud's documentation. I have used IKEv2 on routing.
On my local computer I have created a VPN over IPSec using shared secret generated from GCP. Here is the screen shot of my local VPN settings:
While connecting the vpn from my windows 8.1 pc, it shows the following error:
and in the GCP side, VPN tunnel status shows:
IKE version mismatch
in the Cloud VPN Gateway log it shows:
establishing IKE_SA failed, peer not responding
It seems IKE version is not matching in both side. Am I missing anything that failed to match IKE version? or any way to enable 'IKEv2' on my windows pc? Any kind of suggestions are welcome.
Thanks in advance!
Cloud VPN is rather end-point to end-point; which may provide tunnels in between networks, with overlapping sub-nets. in order to connect with your client, you'd to setup an OpenVPN Access Server or alike, to provide the gateway which to connect.
As per GCP Cloud VPN features
GCP Cloud VPN uses ESP in Tunnel mode with authentication. Cloud VPN
does not support AH or
ESP in
Transport mode. Note that Cloud VPN does not perform policy-related
filtering on incoming authentication packets. Outgoing packets are
filtered based on the IP range configured on the Cloud VPN gateway.
From your description, I am guessing you are trying to configure remote access VPN which is different from site-to-site VPN and not possible using Cloud VPN in one side and windows machine in another end.
However, as workaround, I would recommend using Strongswan VPN software to set up a VPN gateway on one of your instances. Which is also documented in GCP under "Set up an instance as a VPN gateway" in cases where Cloud VPN doesn't provide the required functionality.
I am trying to hook up my mobile app to AWS RDS. I want my users to be able to access the Database from anywhere and I want to view my database in SQL Workbench. Are the VPC and Subnet for allowing me access to the database or my users?
Further to the answer by strongjz, I would highly recommend you put your database in a private subnet and prevent any direct connections from the internet.
To connect to it from SQL Workbench you can set up a Bastion server. This is a server that acts as a middleman between the outside internet and your private subnets. There is quite a good tutorial here on how to set one up. They are connecting to Redshift, however the process is exactly the same for connecting to RDS.
To help with the design of the subnet IP ranges, VPC Designer is a good tool for designing the different subnets.
Full disclosure, I am the creator of VPC Designer.
For security reasons and proper Mobile app architecture I would not give the mobile client direct access to the database. Just one compromised machine and your data is gone, corrupted or stolen.
Setup an API that the mobile client reach out for data requests.
Give only the API access to the Database.
Have the mobile client use something like Incognito to access resources.
Here is a reference architecture from AWS for a mobile web app.
Also a paper on how to create a backend for a mobile application
For securely connecting to the database I would use a Software VPN and allow only your IP to connect it and then allow only connections from the Private IP of that VPN to the database. VPC design considerations here . I personally use OpenVPN, it is free for 2 concurrent users minus ec2 time.
As far as VPC subnet design goes, the Database instance should always be placed in private subnets, the api in public subnets exposed with https. AWS cert manager is free to use with ELB/ALB's.