why istio sidecar doen't support direct access by DNS - istio

I'm using istio 1.4.10 and trying to direct access External service by Dns.
Cause don't need traffic control and I Don't know service IP changed.
so.. Can i direct access by DNS.

Related

Create a public endpoint to AWS ElasticSearch domain which is inside a VPC

I need to access a AWS ElasticSearch (AES) domain, which is inside a VPC, from the internet, so that I can do read/write testing from a local machine. Ultimately, the code will run on an EC2 instance inside the VPC, but for now I need direct access. It would be ideal if the same code would run both outside and inside the VPC (as we do with DynamoDB), but we may not be that lucky.
Thus, I want to create a public endpoint to access the AES domain that is inside the VPC.
Since I have the AES internal endpoint name and the ENI connected to it, I thought I could just connect an Elastic IP address to the ENI, but that's not allowed -- I assume its because the internal IP address may change.
Alternatively, it would make sense that I could map a route in the route table from the IGW (Internet Gateway) to the internal address. But that would again be connected to the internal IP address, and thats bad.
I expect I could use Route53 to map an external facing domain name in to it. But that seems like overkill.
Is there way to map an address from the internet in to the AES domain name?
Is there way to map an address from the internet in to the AES domain name?
Sadly, there is no direct way. You have to setup a VPN connection between your home and your VPC, or some other type of proxy server. However, for testing and development purposes, usually this is done using SSH tunnel is more then sufficient. Setting up the SSH tunnel is explain in Testing VPC Domains of AWS Docs.
There are also numerous other manuals and tutorials on how to do it, e.g.:
How can I use an SSH tunnel to access Kibana from outside of a VPC with Amazon Cognito authentication?
I want to use an SSH tunnel through AWS Systems Manager to access my private VPC resources. How can I do this?
Elasticsearch api secure using SSH tunneling

Connection to Compute Engine with No External IP Possible?

I am not sure if is a strange behavior of Google Compute Engine. I have a VM without External IP.
Now, where I click the ssh button I can still connect to it and I see the log:
External IP address was not found; defaulting to using IAP tunneling.
I have not configured any IAP though. So how can that be possible? Is then IAP tunnelling always on?
Identity Aware Proxy is a managed Google Cloud service. This service is always running. Access is controlled through IAM roles. The CLI is connecting to an IAP endpoint, requesting the creation of a TCP tunnel and then forwarding traffic to your instance via this tunnel.
If you don't set an external IP address to your VM Instance as you can see on this documentation, you will have to set any of this 3 methods to connect to your Instance: 1.- Creating a VPN, 2.- Using a Bastion Host, 3.- Using Identity and Aware Proxy
The must common is to use IAP or VPN, Bastion host method is more complicated and expensive.

DNS resolution for AWS resources on GCP(after establish VPN connection between them)

I have successfully built a VPN connection between gcp and aws using the following guide(https://cloud.google.com/solutions/automated-network-deployment-multicloud).
I can currently ping the resources on the other cloud providers based on the private IP. However, I would like to use the dns resolution that resolves to private IP of the AWS resource DNS names. Can someone please help me with this?. Using DNS server policy may not be the best of options for me as it points to alternative name server only and not the gcp’s internal name servers anymore. So how can I use forwarding zones in gcp for DNS names such as database-test.c34fdgt1ascxz.us-west-1.rds.amazonaws.com so that it resolves to private IP. The above example is for database which I have not made public. Has someone done this already? Or does anyone have any idea on how to go about this. Any help is much appreciated, thank you so much.
It is possible.
If your goal is to configure outbound forwarding to AWS, then you should remove this policy you just need a Cloud DNS managed zone to accomplish this.
The DNS queries that are forwarded from GCP to AWS will come from the 35.199.192.0/19 address block.
The 35.199.192.0/19 traffic can be routed over a dynamic VPN tunnel dynamic (BGP), so you would just need to modify your AWS VPN gateway or router by adding a route that to reach 35.199.192.0/19.
It looks like a public address block, but Google uses this block only for forwarding, and does not announce it on the public Internet.
And finally, AWS needs to be configured so that responses to DNS queries from 35.199.192.0/19 are routed back to GCP using the VPN tunnel configured between AWS and GCP.
In other words, this traffic needs to go through the VPN tunnel.
To debug it you can use stackdriver logging and also by checking network captures on both endpoints.
Check this documentation guides: Creating Forward zones1 and DNS forwarding2.
You can't resolve AWS private IP addresses by submitting the AWS public endpoint to GCP's DNS. That just wont work.
AWS uses a service called Route53 resolver that will forward requests that can't be resolved internally to an external DNS server that you specify. We use this in our env's to resolve on-prem corp IP's that are not part of Route53. I have not tried this, but it's possible you can use that to point to GCP DNS.

Unable to access service running inside AWS

I have a kubernetes cluster having a master and two minions.
I have a service running using the public IP of one of the minion as the external IP of the service.
I have a deployment which runs a POD providing the service.Using the docker IP of the POD I am able to access the service.
But I am not able to access it using the external IP and the cluster IP.
The security groups have the necessary ports open.
Can someone help on what I am missing here.The same setup works fine in my local VM cluster.
Easiest way to access the service is to use a NodePort, then assuming your security groups allow that port you can access the service via the public ip of the node:nodeport assigned.
Alternately and a better approach to not expose your nodes to the public internet is to setup the CloudProvider to be type AWS and create a service type LoadBalancer, then the service will be provisioned with an ELB publicly.

Unable to connect to azure vm with internal IP

I have two vnets that are connected using a gateway. VnET1 and VNET2. VNET2 has a VM which hosts a mongodb instance. I have a webjob running within an App service environment which is deployed into a subnet within VNET1. From this subnet i am able to access the VM in VNET2 with its DNS. But i am unable to access the VM's internal IP. Any suggestions are welcome.
An internal IP address is internal to a VNET, and VNETs are isolated from one another by design. See this site for a good overview.. https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-overview/. If you want to connect internally you might want to consider having multiple subnets within the same VNET instead.
At present, connecting two vnets using a gateway allows IP communication but doesn't allow DNS name resolution. In this scenario we recommend managing a local DNS server. This page shows the requirements for using your own DNS server in Azure.
Hth, Gareth