I have a cloud run service, which sends requests to a number of domains:
domain1.com
domain2.com
domain3.com
domain3.com requires that all my requests are coming from the same static IP address
Is this possible to do so in cloud run?
I've found a guide on how to set up static outbound IP address. But I don't really understand whether it is possible to do that only for one specific domain.
If I understand correctly, it should be done (if possible) somewhere on the Cloud NAT level.
Also, I guess that I would need to first "explore" an IP address of the domain3.com in order to use that address in Cloud NAT.
From a Cloud Run service, you can't use a specific IP to reach only one domain and not the others.
On a Cloud Run service, you can plug a serverless VPC connector to route all the traffic in that connector (I assume that your domain.com are public domain, therefore the all parameter for the egress), and add a Cloud NAT to use your reserved IP(s). (here in the documentation)
Because you route ALL the traffic, you can't select for that domain (or IP) and not this one. It's ALL!
Related
I have a site running on ECS in AWS with the DNS being handled by Route53.
There are two network interfaces which I can use the Public IP addresses of to access the site. The problem is Google has indexed this IP addresses as well as the domain name.
How do I "redirect" the IP addresses to the domain name?
There are 2 aspects in your question:
You want your access using IP to resolve to your domain name
Google indexing your site with the wrong URL
For your 1st challenge, there isn't a native way to force browsers from IP back to URLs. You have to handle this in your application or infrastructure. Since you're running in ECS, that could either be a rule in a Load Balancer (e.g. if using Application Load Balancer, a rule that checks if Host-Header doesn't match your domain then redirect to your domain URL), or you could write the logic into your container.
Regarding the #2 problem, that might be because your IP was added to some site in the internet (remember that IPs are re-used in AWS), and as a result Google has the IP in the cache and it's refreshing it. To handle this problem, you might need to review if it's possible using Google's Removals Tool.
Is there a native option to setup a static IP address for a google cloud API Gateway? As far as I researched, looks like I have to setup a cloud load balancer in front of the API Gateway and then use the static IP of the load balancer. I am not sure how to do this. My goal is to only give access to my API gateway via IP address? I am looking for any documentation/articles on this regard. Thanks in advance.
I don't know and don't understand your requirement, but you can achieve this with a trick with HTTPS load balancer.
Create an external HTTPS load balancer. Use HTTP frontend (so not secure/encrypted) else you will have certificate's checks issues if you use HTTPS with a certificate and if you hit the IP.
Create an internet network endpoint group that points to your API Gateway URL
If it doesn't work, add a header in your backend service named host and with the API gateway base URL as value (without the https:// prefix)
I don't like this design because you add a useless layer (and thus an additional (and useless) potential point of failure) and you will be charge for the load balancer (about $15 per month)
I have domain under which there are multiple subdomains pointing to different websites hosted on azure. I am starting to explore google cloud and want to host a subdomain on google cloud.
Below is how DNS record should look like
A - GO Daddy hosted main website IP address
CNAME - subdomain.example.com - subdomain.cloudapp.net
CNAME - subdomain2.exapmple.com - subdomain2.cloudapp.net
now I want to add a cname for another subdomain to be hosted on google cloud
CNAME - subdomain3.example.com ??.googleapi.com
I have public IP address from GCP, but how do I get subdomain for GCP to be used for CNAME record? As per answers to my another question GCP does not provide public CNAME for VM instances. So what should I provided in CNAME record. (I do not want to move the DNS to google, or to azure for that matter)
Based on your question and the reference to Google not providing names for VM instances, I am assuming that you are trying to create a DNS record for the external address of a VM instance.
If you have a static IP address, you should just configure your DNS provider to use an A record for that IP address, rather than a CNAME.
CNAME records just create aliases for the target names, where A records can point directly to the correct IP.
Note that if the IP on your instance is ephemeral rather than static, then you would need to keep updating the DNS record whenever you restart the instance (and get a new IP), so it would be highly recommended to use a static IP for the instance in this case.
I often use App Engine, for a CNAME, you have to map to ghs.googlehosted.com (https://cloud.google.com/appengine/docs/standard/python/mapping-custom-domains).
It seems possible to do the same on Compute Engine through the network service (https://cloud.google.com/dns/docs/quickstart#create_a_cname_record). If you don't really need the CNAME record, you should use the classical A record. It's a bit easier.
Don't hesite to look into documentations, everything is explained.
I am a newbie to AWS. I have read about DHCP Option Set and also about Route 53. However, I do not understand clearly about the similarities and differences between them.
In my understand, both help us customize DNS name, and DHCP is a component of VPC, but Route 53 is an AWS service, am I right? If yes, is there any differences between them? In which case we use DHCP? In which case we use Route 53 instead of DHCP Options?
Route 53 is a DNS service - this allows you to publish hostnames and their associated ip addresses to the world at large. For example, on a simple level, I might publish the following:
www.example.com A 123.45.67.89
This would tell internet users around the world that the server www.example.com can be found at ip address 123.45.67.89
This is hugely simplfied, but think of Route 53 as a part of a distributed, decentralised database of hostnames and ip addresses.
DHCP is used by a host to get its network configuration at startup. When a machine, or vps, or ec2 instance starts up, it will make a DHCP request for its network configuration, and a dhcp server will respond, giving the host a number of parameters, but at a minimum an IP address. The dhcp may then register this ip address/hostname combination in DNS. DHCP options are extra network configuration parameters, for example, telling the host that is part of the domain example.com, that its default router is 10.0.0.2, or any number of other options. These affect the way the host configures itself to talk to the network.
DHCP in your VPC is used to automatically assign domain names to your EC2 servers that are generated by Amazon. The domain names will look like ec2-public-ipv4-address.compute-1.amazonaws.com
Route53 is a DNS service for assigning custom domain names that you own to your AWS resources. If you wanted to assign someting like myapp.mydomain.com to your EC2 server, you wouldn't be able to accomplish that with DHCP, you would need to use a DNS service like Route53.
I want to set up a security group that will only allow my static IP to hit an EC2 server, but because I use Cloudflare and it uses some IP/reverse proxy magic, the AWS security group only sees the Cloudflare IP and not my actual static IP. I looked all over and can't find any answer to how to do this. Has anyone figured this out?
You can't do this with security group settings.
Caching proxies like Cloudflare create a separate connection to the origin server, using one of their IP addresses.
You'd need to use those addresses in your security group, and maintain the rules if Cloudflare changes the list. But, the list is public.
https://www.cloudflare.com/ips/
Next, you need to configure your web server to deny requests when the CF-Connecting-IP HTTP header doesn't contain your IP address.
https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-
You have to do both, because if you don't restrict traffic to the Cloudflare IP address ranges with your security group, then traffic from elsewhere (not via Cloudflare) could forge the header containing the IP address.
Having done those two things, you have almost accomplished your objective, but not quite... because Cloudflare caches responses.
So, the next problem is, you also need to disable caching at Cloudflare, because once you fetch a page, it may be in the Cloudflare cache, where someone else might access it.
https://support.cloudflare.com/hc/en-us/articles/200168306-Is-there-a-tutorial-for-PageRules-
Really, for a case where you need to restrict access to a single IP (or a small set), it doesn't usually make a lot of sense to send the traffic through Cloudflare.
You could setup a lambda function that parse the IP file from Cloudflare and update your security groups dynamically. AWSlabs on github has an example lambda function that does it for CloudFront. Two problems you'll run into are that you'll have to schedule to lambda function to run since you can't subscribe to a queue like in the example and possible running out security group rules, 50 is the limit.