I have a site running on ECS in AWS with the DNS being handled by Route53.
There are two network interfaces which I can use the Public IP addresses of to access the site. The problem is Google has indexed this IP addresses as well as the domain name.
How do I "redirect" the IP addresses to the domain name?
There are 2 aspects in your question:
You want your access using IP to resolve to your domain name
Google indexing your site with the wrong URL
For your 1st challenge, there isn't a native way to force browsers from IP back to URLs. You have to handle this in your application or infrastructure. Since you're running in ECS, that could either be a rule in a Load Balancer (e.g. if using Application Load Balancer, a rule that checks if Host-Header doesn't match your domain then redirect to your domain URL), or you could write the logic into your container.
Regarding the #2 problem, that might be because your IP was added to some site in the internet (remember that IPs are re-used in AWS), and as a result Google has the IP in the cache and it's refreshing it. To handle this problem, you might need to review if it's possible using Google's Removals Tool.
Related
I have a cloud run service, which sends requests to a number of domains:
domain1.com
domain2.com
domain3.com
domain3.com requires that all my requests are coming from the same static IP address
Is this possible to do so in cloud run?
I've found a guide on how to set up static outbound IP address. But I don't really understand whether it is possible to do that only for one specific domain.
If I understand correctly, it should be done (if possible) somewhere on the Cloud NAT level.
Also, I guess that I would need to first "explore" an IP address of the domain3.com in order to use that address in Cloud NAT.
From a Cloud Run service, you can't use a specific IP to reach only one domain and not the others.
On a Cloud Run service, you can plug a serverless VPC connector to route all the traffic in that connector (I assume that your domain.com are public domain, therefore the all parameter for the egress), and add a Cloud NAT to use your reserved IP(s). (here in the documentation)
Because you route ALL the traffic, you can't select for that domain (or IP) and not this one. It's ALL!
I had an infrastructure consist of load balancer(nginx configuration) and two servers,
one is for UK and other is US,
Now requirements are I have to deploy runtime application to one of these servers based on client ip, that part is done in nginx conf with geoip module.
and will do server entry as well if not available in nginx upstream list.
Now second part is these servers e.g UK US having an ip's, I want runtime DNS entries for them as well,
Servers can be of AWS,Azure,GCP their domain providers may vary,
So its possible to do DNS entry during deployment stage like first application will be deployed to corresponding server then that server should do entry as well in DNS and get domain name (should be provided by user in runtime).
in short, there is script which is doing runtime domain entries like as.blabla.com in nginx
but I need to have an another parameter for server like 190.80.0.13 for asia, and i want dns entry for this ip as well either this belong to GCP,AWS or any DNS related system.
Question may seem alot twisted, its okay we can discuss further.
In AWS you will be better with AWS Elastic Load Balancer and Route53, using Geolocation, or Geoproximity as routing policy.
For better performance you can add (CDN) Cloudfront distribution.
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html
I have recently started exploring the Google Cloud Platform Cloud Load Balancer and Cloud CDN products.
I am interested in setting up a load balancer to accept requests from multiple customer-pointed domains and map to an internal service.
Currently, I am creating multiple front-ends for the load balancer which feature a single domain and one or more SSL certificates. This creates a new ephemeral IP address per front-end that customer domains can be pointed to via A records.
Instead, I would like to allow customers to point their domains to my service using CNAME records.
eg. demo.customerdomain.com -> CNAME service.mydomain.com.
Can anyone help me figure out the best way to do this?
I am not sure what benefits/risks this has in terms of security or caching, so if anyone has any input on that, I would be interested to hear it.
Thanks,
Coming from AWS/cloudfront background I want to know the base domain of google's CDN which I can't find anywhere. In Cloudfront, domain such as xyzid.cloudfront.net available in the list of cloudfront distributions.
I need to store objects in google's bucket and server via google's CDN for better performance. I have read lot of tutorials which explains how to link cdn with bucket via load-balancer. But in the end it gives me only IP address, via which I am able to access the bucket's content successfully.
Since IP will be in a particular location, whereas in case of cloudfront it gives domain such as xyzid.cloudfront.net which resolves to nearest IP address based on the location of user. I am highly doubtful, how using IP as a base domain will give the advantage of 90+ edge locations of google.
I think I am missing something big here.
Coming from AWS/cloudfront background I want to know the base domain
of google's CDN which I can't find anywhere.
When you configure a Google CDN, you need to configure a Load Balancer and enable the CDN feature. The address of the CDN is the address of the load balancer. This is the case for caching compute instances and Cloud Storage.
Since IP will be in a particular location, ...
Incorrect assumption that an IP address is tied to a location in GCP. Google supports a global IP address where the IP address itself is global in scope and resolves to the closest (configured) edge location for routing. This technology is called Anycast. The same technology used for Global Domain Name servers.
[EDIT with additional information]
There are two types of public external IP addresses. Gobal and Regional. Use a Global IP address for Global HTTP(S) Load Balancers. Regional IP addresses are used for VM instances, Network Load Balancers and most other services.
Cloud Storage objects can be accessed through the URLs describes at [1].
[1]https://cloud.google.com/storage/docs/request-endpoints
I want to set up a security group that will only allow my static IP to hit an EC2 server, but because I use Cloudflare and it uses some IP/reverse proxy magic, the AWS security group only sees the Cloudflare IP and not my actual static IP. I looked all over and can't find any answer to how to do this. Has anyone figured this out?
You can't do this with security group settings.
Caching proxies like Cloudflare create a separate connection to the origin server, using one of their IP addresses.
You'd need to use those addresses in your security group, and maintain the rules if Cloudflare changes the list. But, the list is public.
https://www.cloudflare.com/ips/
Next, you need to configure your web server to deny requests when the CF-Connecting-IP HTTP header doesn't contain your IP address.
https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-
You have to do both, because if you don't restrict traffic to the Cloudflare IP address ranges with your security group, then traffic from elsewhere (not via Cloudflare) could forge the header containing the IP address.
Having done those two things, you have almost accomplished your objective, but not quite... because Cloudflare caches responses.
So, the next problem is, you also need to disable caching at Cloudflare, because once you fetch a page, it may be in the Cloudflare cache, where someone else might access it.
https://support.cloudflare.com/hc/en-us/articles/200168306-Is-there-a-tutorial-for-PageRules-
Really, for a case where you need to restrict access to a single IP (or a small set), it doesn't usually make a lot of sense to send the traffic through Cloudflare.
You could setup a lambda function that parse the IP file from Cloudflare and update your security groups dynamically. AWSlabs on github has an example lambda function that does it for CloudFront. Two problems you'll run into are that you'll have to schedule to lambda function to run since you can't subscribe to a queue like in the example and possible running out security group rules, 50 is the limit.