Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 months ago.
Improve this question
I am trying to hide my Cloud Run application in VPN.
What I already did:
I have created a box in VPC (vpn-gateway)
Configured VPN there
Configured routing to allow access all machines in VPC
Created VPC Connecter to have a bridge between Cloud Run and my VPC
Set 'Route all traffic through the VPC Connector' on Cloud Run
route traffic 216.239.0.0/16 (aka Cloud Run) through the VPN
At this point it works well.
Unfortunately, I have 3 projects (prod/testing/dev). And I'd like to have one VPN for all projects.
I decided to add Shared VPC on top of all my projects. And it seems that hosts from Host (parent) project cannot access Cloud Run in Service Project.
What is best practice for hiding Cloud Run applications from 3rd party users?
Related
Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 3 days ago.
Improve this question
Frontend and backend service seem to be working fine separately on its own, but when I try to communicate between frontend and backend I keep getting ERR_NAME_NOT_RESOLVED error.
Service discovery are all connected
All security groups are open
I think our architecture is very similar to this if that helps.
(https://mohamedwaelbenismail.medium.com/microservices-architecture-deployed-on-ecs-fargate-based-cluster-using-cloudformation-878cb6f90571)
It only works if we change the internal load balancer to public load balancer allow internet traffic and allow 0.0.0.0/0.
Status of health check are all 'healthy'
Based on your schematic illustration, your React web application front end will never be able to reach your backend. Your front end executes on a client side in their browsers/mobiles. This means that the only way to reach backend is through internet. So your backend can't be in a private subnet behind an internal load balancer.
You have to re-architect your application. Both frontend and backund must be accessible from the internet, for your front end to be able to query the backend.
Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 months ago.
Improve this question
Working for a Findata company, we have strict requirements in terms of compliance to be considered "safe" to work with us.
I took some time reading about Serverless VPC connector specifically and it raised mainly two questions.
Here's an architecture diagram that may help answering question 2.
Question 1
I understand that when creating a Serverless VPC connector, you can connect to any private IP present in the same VPC. For instance, a Cloud Run app that connects to a Cloud SQL instance through it's private IP.
What I am still wondering, is how it works when using Google Cloud APIs. For instance, let's take a Cloud Run app that consumes data from BigQuery.
Knowing that we can configure egress traffic to be routed like so:
If we route all traffic through the VPC connector, from my tests, it will reach BigQuery API only if the subnet associated to the connector activated Private Google Access
So here it's going through the VPC for sure. The downside (big?) is that it consumes bandwidth of your connector, right? Also, if the app is scaling up, bandwidth consumption will increase.
My question there is:
To avoid this overhead, does Route only requests to private IPs through the VPC connector option use also the private network? Or does it go to Internet to reach Google APIs?
Question 2
For us, connectors are expensive. We were thinking on how to deploy them (if required, it actually depends on the answer of the question 1)
From what I know, for expensive network setup (like sharing an Cloud Interconnect link), people tends to create a Host Project that manage all the networking and share it using Shared VPC
My question there is:
Is it something to consider as well for Serverless VPC connector? Is it better to create few big ones and share them to multiple serverless service or create a lot of small ones?
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
I am looking for a way using which i can restrict the public URL endpoint for google cloud function
Basically we want to make sure that the endpoints we expose should only be invoke by specific thirdparty servers (List of ip address ranges). What authorization mechanism we can put at our endpoint to filter any request that is not originated from thirdparty server.
We do have list of ip address range for that third party service providers
You can configure your function's ingress settings to only allow internal traffic and traffic originating from a Google Cloud Load Balancer (ALLOW_INTERNAL_AND_GCLB in the API), and then use Cloud Armor in that Load Balancer.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 3 years ago.
Improve this question
I am trying to find a simple solution using either software based vpn or proxy solution. I have an AWS account in which I host multiple web based application. I dont want to expose the URL of stage/UAT environment. So I want to use some software proxy or software based VPN solutions. The solution should be simple - team should connect to vpn or proxy and should be able to access the URLs. I tried with openVPN server, but I have multiple aws accounts where configuration gets complicated.
Any software based, paid or company managed solution should be fine.
I would suggest using OpenVPN market place AMI so they provide a beautiful and manageable interface for admin plus user.
Plus feature
Have an option for Two factors Authenticator by default which provides an extra layer of security
You do not need to manage or generate any keys
So you will need to allow traffic from open VPN in your private staging server and the user will only be able to connect if they are connected with the VPN server.
I have multiple aws accounts where configuration gets complicated.
Do not make think complicated and risky by using one VPN server for all accounts. It's better to use individual VPN access certificates for each account instead of using a single common one.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 2 years ago.
Improve this question
I've been developing a small Slack application for my team. It's a very simple app to help organizing projects. I've written it in Python and used AWS Lambda (one of the Slack API hosting recommendations) to host it. As the usage of this app will be very incidental, I thought that AWS Free Tier could handle it for a while. But I was surprised to discover that, while Lambda has a free tier, I need to configure a NAT Gateway that costs $0.045 per hour to get anything useful out of it.
I'm very disappointed by this. I can't justify the costs of this NAT Gateway for such a small and simple application (that will be used by 5-10 people maximum, and only sometimes). Is there are workaround that I could use (I've heard about NAT instances)?
EDIT: I've created a NAT instance and tried using it with my app. Thing is, now Slack is throwing me a Timeout Reached error (since Slack expects a response within 3000ms before throwing this error). So, are NAT instances slower than NAT Gateways?
NAT instances provide Internet connectivity for EC2 instances located in private subnets. NAT instances provide network address translation. NAT instances are not related to API Gateway nor Lambda functions.
NAT Instances
API Gateway does not have a cost per hour unless you configure caching, which probably is not necessary for your use case. More details are needed to be sure.
API Caching
Note: You can call you Lambda functions directly from your Python code if you do not need all of the features of API Gateway.
Boto3 Lambda.Client