I'm wanting to put Cloudflare in front of my API hosted on Cloud Run. I'd like to ensure my Cloud Run app only accepts connections from Cloudflare (to avoid bypassing DDoS mitigation + rate limiting in Cloudflare).
Is there any way to use Cloudflare's Authenticated Origin Pulls with Cloud Run?
Other solutions that achieve the same effect are welcome too - however the key is I don't want traffic from non-Cloudflare sources to trigger a Cloud Run invocation (otherwise a DDoS could result in billing spike). Thus, filtering traffic inside the Cloud Run app is too late, an invocation has already occurred.
Seems like there may be a way to add on HTTPS Load Balancer + Cloud Armor to do IP whitelisting and only allow requests originating from Cloudflare's IPs...but I'd rather not start tacking on two other services and add $$ just to achieve this.
Google Cloud Run supports two authorization mechanisms: unauthenticated (anyone/public) and OAuth Client ID. Cloudflare's Origin Pulls use TLS certificates, which means your Cloud Run application would need to verify the certificate as Google's Frontends do not support this. This would not accomplish your goal of preventing unauthorized invocations of Cloud Run.
In summary, unless your service is using OAuth Client IDs for authorization, there is no method to prevent Cloud Run service invocations except by limiting the maximum number of instances. If you have configured unauthenticated access, anyone calling your service endpoint will succeed in invoking your service or executing an overlapped request.
Related
Please can someone advise if what I'm trying to do is possible - apologies I know a lot more about AWS than Azure, and I can't find any guidance online or bypass the issue by setting up services and 'giving it a go'.
I want to send SSL-secured subdomain traffic from AWS where our primary domain is hosted to Azure where some dependent services and resources are hosted. We want to use AWS ACM for SSL management/renewals, removing any dependency on third parties or Azure for this if at all possible.
I am able to set up a CloudFront distribution with an origin of an Azure Storage Account endpoint:
xxx.blob.core.windows.net
With an alternate domain name of a subdomain of the desired URL:
xxx.xxx.co.uk
I can secure this with a wildcard ACM SSL, and the resultant images are all secure.
I have also set up a static web app, applied a custom domain to it of:
xxx.xxx.co.uk
And with the appropriate DNS/CF I can make traffic to that Azure SWA secure.
Is it possible to do the same with Azure App Gateway? All the things that I've tried or the developers working in Azure (a third party) have tried do not work, we end up with mostly 502 errors depending on the configuration. Depending on the CF/DNS configuration, I can get through to the correct resources/services by bypassing an SSL warning.
Would adding a port 80/non-https listener for our subdomain on the App Gateway work?
I have a Google CloudRun Service, that is can be accessed either by the CloudRun URL or by a custom domain via a Load Balancer in the Google Cloud.
Now I am trying to setup some kind of access control, so that the Service which run the Development Stage can only be accessed by logged-in developers.
So far I tried to set the Trigger Configuration of the CloudRun Service to authentication required. That works for the base CloudRun URL, but on adding a path to the base URL I get a Forbidden error, even if I could access the base URL. And Accessing the Service via the LoadBalancer always gives a Forbidden.
Is there a way to make the CloudRun Service Accessible (including different Paths) only to LoggedIn Developers?
And also is there a way to make the Service only accessible by the LoadBalancer URL and not the CloudRun URL?
Once you require authentication, all requests need to include a token authorized to access the service via any endpoint. You can check out more information here: https://cloud.google.com/run/docs/authenticating/developers
There's also a tool in the gcloud CLI for Cloud Run to make this process easier. If you try gcloud beta run services proxy [your-service], the service will be proxied to localhost, with your identity token included by default.
For restricting access only via the Load Balancing URL, There's an ingress setting (also settable under the 'triggers' tab). This can be set to 'internal and cloud load balancing'.
You can find more info here: https://cloud.google.com/run/docs/securing/ingress
"Authentication required" for a Cloud Run service really means "Token required". It checks that the right token is attached to the request, but it's up to you how to add that token. Because of that I think it's mostly useful for machine-to-machine communication. It doesn't provide a log-in user interface or client-side code that attaches tokens to users' requests.
If you do want that, Identity Aware Proxy can provide it.
I have assets in a Google Cloud Storage bucket. I created a subdomain (aaa.bbb.com) and a load balancer using that subdomain to point to that bucket (e.g. aaa.bbb.com/image-to-read.png). I also have an application using Google Kubernetes Engine. The goal is to make sure all users are blocked except that application on GKE. And all the GKE application is doing is reading the url of the assets to display them. How do I achieve that?
Things I've tried:
Setting GCS cors for the bucket
It turns out this only restricts by domain if people are signed into Google with the domain.
Workload Identity
This has just not worked for me. I also have an API service in the same GKE cluster that uses this and I'm able to upload fine with it. However, using a plain <img /> tag with the source as a the GCS bucket ignores the Workload Identity as far as I can tell.
Cloud Armor
This seems the most promising. I have successfully restricted by IP address but, unfortunately, the only IP address I'm able to restrict by is my actual local computer. I believe that means the request headers are sending my computer's IP address to the load balancer. But what I am trying to do is restrict access by the application's load balancer IP address or even by the origin domain (preferred).
What I'm asking is probably a basic networking question, but I'm no wiz at all the devops/infrastructure concepts so any help would be appreciated. Thanks!
You have two options:
Cloud Storage authorization
Deploy an HTTP(S) Load Balancer + Cloud Armor.
I am not sure what you mean by GKE ingress IP.
The simplest is to add Authorization in your GKE application when accessing Cloud Storage.
Authorization:
Service Account OAuth Access Token
Signed URLs.
Both methods are easy to implement.
Note: Workload Identity Federation also generates service account OAuth access tokens. Use that method if need to federate credentials from one OAuth Authority to Google. However, for a GKE application, Signed URLs or service account OAuth access tokens are probably the correct solution.
I'm running a backend app with several endpoints on Cloud Run(fully-managed). My endpoints are publicly available by its nature so I don't want to authenticate users through my client app hosted on Netlify.
What I do need is to restrict access to my endpoints so that other applications or malicious users can't abuse it. It is not about scaling, I just don't want to exceed the Free Tier limits since it is a demo of an opensource application.
I've already set the concurrency and max instance limits to minimum but this alone is not enough. There is also a product named Google Cloud Armor but it seems an expensive one, not free.
I was expecting to have a simple built-in solution for this but couldn't find it.
What other solutions do I have? How can I block the traffic coming out of my website on Netlify?
You don't have a lot of solution:
You don't want to authenticate your users -> so you need to rely on the technical layers
Netlify is a serverless hosting platform, you don't manage servers/IPs -> So you need to rely on the host name
To filter on the host name, you can use 2 products
External HTTPS only (about $15 per month) with url path matching.
Default URL land on a dummy service
Only request where the host matches your netlify host name are redirected to your backend
Use Cloud Armor on top of External HTTPS load balancer ($15 + Cloud Armor policy x traffic volume). The time, the load balancer redirect the default URL to the correct backend and Cloud Armor check the request origin.
The problem is that this weak solution is easy to overpass. Perform a simple curl with the host as header, and HTTPS Load Balancer and Cloud Armor think that is the correct origin
curl -H 'Host: myNetlifyHost.com' ....
The highest protection is the authentication. Google Cloud itself say: "Don't trust the network".
I'm new to the GCP Services, and I'm trying to make an API Gateway to proxy two services, one is run on an App Engine and the other is actually a PaaS.
Can I configure Cloud Endpoints to redirect to that PaaS, and how? and if now what service in GCP suits this case?
Edit:
An example of what I'm trying to do is if my domain is test.com then i'd like app.test.com to be redirected to my App Engine and ip.test.com would be directed for example to https://httpbin.org/ip.
I wrote an article on this for securing the endpoint. Set the value that you want in the x-google-backend.
I also provide some tips about the URL rewriting if you want.
EDIT 1
If you want to perform this routing
app.test.com -> App Engine
ip.test.com -> External service
You need to use a HTTPS Load Balancer and not API Gateway.
Then,
create a serverless NEG and configure it with App Engine
create an Internet NEG and configure it to reach your internet accessible PaaS service
Create a URL MAP with the correct routing
That's all (wait 3 - 5 minutes, the delay to dispatch your configuration around the globe.)
Yes, you can run an Extensible Service Proxy in front of your non-GCP backend service so that Cloud Endpoints can proxy requests to it.
Docs: https://cloud.google.com/endpoints/docs/openapi/running-esp-localdev