We have a VPN server in AWS which is also a AD domain controller that controls our local domain (private subnet) in AWS.
We want to create a pipeline from Azure DevOps through VPN server (Which is also a AD Domain controller) to our other server and deploy the project on the server on private subnet.
So my question is, Can we do any of the things mentioned below? and if yes how can we achieve it?:
Is there a way to make Azure DevOps to use VPN connection to connect directly to server on private subnet? and is it secure?
Is there a way after adding the server on the private subnet to the server list in AD Domain controller server and create a pipeline to the AD server but tell the AD server to deploy it on other server listed in the Server Management?
• Yes, there is a way through which we can connect Azure DevOps to the AD Domain controller server which itself is the VPN server in AWS. For that purpose, you will have to ensure that your AD Domain controller server or VPN server is accessible from the internet and since it is hosted on AWS, consider it to be hosted on on-premises environment for this solution perspective. Thus, I would suggest you deploy Azure DevOps agents and agent pools such that they deploy artifacts and other required data to the ADDC or VPN server in AWS as they should have ‘line of sight’ connectivity to the VPN server since access to internet is needed for these agents to connect to Azure pipelines as shown in the below diagram.
Also, rather than hosted agent pools which are used for Azure resources in the virtual network on Azure itself, use default agents which need to be configured for on-premises environment.
• Since Azure DevOps agents communicate with the VPN servers in AWS as stated above, you can further create route tables between the private subnet and the subnet in which VPN is hosted in AWS as well as whitelist the IP address of the connecting VPN gateway and related resources in that VPC. Also, peering between the different VPCs if private subnets are hosted in it can also work by configuring the proper route tables and allowing the appropriate IP addresses in AWS.
Kindly find the documentation link below which describes the details on the configuration of DevOps agents as stated above: -
https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/pools-queues?view=azure-devops&tabs=yaml%2Cbrowser
For additional security, you can also deploy your DevOps agents behind a web proxy as below: -
https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/proxy?view=azure-devops&tabs=windows
Related
I was wondering if there's any possible solution to connect a GCP AIP tunnel to a DB (Cloud SQL Proxy) when the DB has no public IP.
I don't want to create a new VM for this purpose so I'm only interested in solutions that don't require me to use a VM.
Thanks in advance.
There are two ways to connect your on-prem network to the VPC, but both are fairly involved (and potentially expensive):
You can use Cloud Interconnect
You can use Cloud VPN to set up a HA VPN
For both scenarios, you'll also need to configure Cloud Router to export the routes to your Cloud SQL instance into your on-prem network.
Additionally (if you have control of your constraints) you could revisit the idea of using Public IP. Using the Cloud SQL Auth proxy allows you to authorize your connections using an IAM identity as opposed to traditional firewalling or SSL certs. You can even use org policies to restrict Authorized Networks, making the Auth proxy required to connect. enter link description here
My company's members all work remotely and there is no central office or HQ. They are interested in a cloud AD to create and manage group policy's. I created one using these steps in Google Cloud services LINK. I have a VPC, A Domain and a VM joined to the domain with Active directory installed. I am fairly new to this and looking for a way to now join a local workstation to the Domain so it talks to the Active Directory I created. All the documentation I am finding is for joining other Google Cloud VMs to the Domain Controller.
As John mentioned, as a best practice it's recommended to use VPN tunnels to secure LDAP traffic, you can connect to your Managed Microsoft AD domain with Google Cloud Hybrid Connectivity products, like Cloud VPN or Cloud Interconnect. You can configure the connection from your on-premises or other network to an authorized network of Managed Microsoft AD domain. I share with you a document to configure an HA VPN in GCP to a peer VPN Gateway
We are moving from AWS to the GCP. I used Client VPN Endpoint in AWS to get into the VPC network in the AWS. What is the alternative in GCP which I can quickly setup and get my laptop into the VPC network? If there is no exact alternative, what's the closest one and please provide instructions to set it up.
AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network. With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client.
Currently there is no managed product available on GCP to allow VPN connections from multiple clients to directly access resources within a VPC as Cloud VPN only supports site-to-site connectivity, however there is an existing Feature Request for this.
As an alternative a Compute Engine Instance can be used instead with OpenVPN server manually installed and configured following the OpenVPN documentation, however this would be a self managed solution.
I have an AWS account with an EC2 in it that I am trying to connect to a Cloud SQL Server (MySQL 5.6) inside of Google Cloud Platform.
I have successfully set up a VPN between AWS and GCP and can echo a message over nc between an ec2 on AWS and a vm on GCP.
As GCP managed DB's are not placed inside of a VPC of my choosing I followed this guide to give the DB a private IP and to then peer that with my google VPC. I tested this works by accessing the DB via pymsql from an VM in GCP using the private IP of the DB.
However my issues come from connecting the EC2 inside of AWS to the Cloud SQL DB in the same way, I have followed this guide to allow the use of the DB's private IP from an external source but I seem to be getting stuck with how to set the routing up to the peered network the DB is sitting in using AWS Routing.
The problem has been sorted!
In the Advertised routes Settings of my Cloud Router, I had misunderstood the function of Advertise all subnets visible to the Cloud Router (Default)
I needed to instead choose Create custom routes" And then the sub-option Advertise all subnets visible to the Cloud Router.
This then allowed me to add the Cloud SQL subnet to my router to that IP block propagate over to AWS.
I have an azure web app that has 2 slots (one for production and one for staging). My web app calls an external web service that is protected via IP filtering. When I'm in production, I call the external web service for production and when I'm in staging I call the external web service for staging.
Because I switch from staging to production my 2 outbound IP adresses change regularly. So the external web service cannot protect independently staging and production.
Can the App Service Environnement can help me? Or another Azure service?
Thanks.
It seems, you're out of luck here. According to Microsoft Azure documentation:
Can I use a reserved IP for all Azure services?
Reserved IPs can only be used for VMs and cloud service instance roles exposed through a VIP.
So, no reserved IPs for Azure App Services, but only for VMs and Cloud Services.
But there might be some solutions possible:
replace IP filtering with Azure subdomain filtering, such as my-app-prod.azurewebsites.net, my-app-staging.azurewebsites.net (or buy a domain name and set its subdomain records to point to Azure App Service slot subdomains and use them instead of Azure's)
migrate your environment to Azure Cloud Services or VMs and then set up Azure Virtual Network with reserved IP addresses.