In Google Cloud PLatform can we use multiple external public IP addresses and map them to the instance Alias IP addresses both being part of NIC0 VM instance behind GCP external network load balancer? (this way we could publish multiple services each with different public to private IP mapping, but the Google documentation states that this is not the case)
https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address
Yes, it's possible to use multiple external IPs pointing a single NIC0 interface as per:
To assign multiple external IP addresses to a single instance, you can
set up multiple forwarding rules to point to a single target instance
using protocol
forwarding.
Meaning that you would only need to create a pool and a regional forwarding rule.
Keep in mind that external traffic is going to be natted at some point, so it would look like all request are hitting your internal IP address directly, for example external IP 2.2.2.2, 3.3.3.3 and 4.4.4.4 will be translated into something like 10.128.0.2.
This will only work for the main NIC0 IP.
Related
According to the following GCP public documentation
If you need to allow an SAP support engineer to access your SAP HANA
systems on Google Cloud, you can do so using SAProuter. Follow these
steps:
Launch the Compute Engine VM instance that the SAProuter software will
be installed on, and assign an external IP address so the instance
has internet access.
Create a new, static external IP address and then assign this IP
address to the instance.
Create and configure a specific SAProuter firewall rule in your
network. In this rule, allow only the required inbound and outbound
access to the SAP support network, for the SAProuter instance.
Question
Use of external IP address is restricted in my environment, so I will like to know if I can used a public Load balance to achieve this.
Context
I have a public Loadbalancer infront of a FW, how can I use this Public Load balancer IP to setup my SAP Router in GCP? Is this even possible?
You may want to use Load Balancing Forwarding Rules to allow your External IP to access your environment.
Internal forwarding rules
Internal forwarding rules forward traffic that originates inside a Google Cloud network. The clients can be in the same Virtual Private Cloud (VPC) network as the backends, or the clients can be in a connected network.
Internal forwarding rules are used by two types of Google Cloud load balancing products:
Internal TCP/UDP Load Balancing
Internal HTTP(S) Load Balancing
External forwarding rules
External forwarding rules accept traffic from client systems that have internet access, including:
A client outside of Google Cloud
A Google Cloud VM with an external IP address
A Google Cloud VM without an external IP address using Cloud NAT or an instance-based NAT system
Adding a forwarding rule
Create the load balancer's forwarding rule
Go to the Load balancing page in the Google Cloud Console.
Click Create load balancer.
Select a load balancer type, including the traffic type and whether the load balancer faces the Internet or is internal only.
Click Continue.
Click Frontend configuration. In the New Frontend IP and port section, make the following changes:
a. Name: FORWARDING_RULE_NAME
b. Subnetwork: SUBNET_OF_YOUR_RESERVED_IP_ADDRESS \
c. From Internal IP or from IP Address, select your pre-reserved IP address.
Optionally, you can reserve an IP address now in this UI, or you can use an ephemeral IP address.
d. Select the protocol, port numbers, and IP version.
Only some load balancer types support IPv6.
e. Verify that there is a blue check mark next to Frontend configuration before continuing. Review this step if not.
Click Review and finalize. Double-check your settings.
Click Create.
Using IAP for TCP forwarding
IAP's TCP forwarding feature lets you control who can access administrative services like SSH and RDP on your backends from the public internet. The TCP forwarding feature prevents these services from being openly exposed to the internet. Instead, requests to your services must pass authentication and authorization checks before they get to their target resource.
IAP forwarding Step by Step setup
You can also check links below for your reference.
Forwarding rules overview
Using IAP for TCP forwarding
I want to use Google Cloud instance as the VPN server with multiple external IP addresses.
What is the maximum number of external IPs I can use for one Google Cloud instance? (In documentation it is mentioned that "The maximum number of network interfaces per instance is 8" but I'm not sure is it mean I have a limit of 8 IP per instance or 8 subnets with lot of IPs )
Also, this is probably the dumbest question (I'm totally new to cloud computing area) but if for example, one external IP of the instance is 1.1.1.1 Does it mean I can connect to instance from internet by this IP as well as if some software run on the instance and connect another server it will show in log that connection was from 1.1.1.1 ?
A compute engine can have multiple network interfaces. Each network interface can have BOTH an internal and external IP address. This means that if there is limit of 8 network interfaces, you can only have 8 external IP addresses.
(Source: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address)
It is my understanding that if you have an internal IP address associated with a network interface of a Compute Engine (say 1.1.1.1) and then associate that interface with an external IP address then any traffic arriving at the compute engine through the external IP address will appear (to the Compute Engine) will log as though it had been sent to the internal IP address.
I have few virtual machines on the cloud of Google.
My virtual machine running an application that connect to database server. The database server is protected with two types of authentications:
Password
IP addresses white-list
My problem is with - IP address. I need to define the allowed IPs manually on my database, in order to allow them to connect. Since I not controlling the external IP address (the changed dynamically), I looking to other solution.
Found this script to get the whole range of Google IPs. But as the script writer said - this range of IP is changing in high frequency. Which is big problem - I can't trust this kind of solution.
It sound like I facing common problem - What to do?
You could in a more simple way use private ip in your CloudSQL.
This way your instances will be using their internal ip and not the external IP and as you should have defined a VPC you have full control over the range you should allow.
In addition, please note you get the following benefits using private IP to connect to Cloud SQL:
Lower network latency: Private IP provides lower latency than public IP.
Improved network security: Private services access traffic is never exposed to the public Internet.
Plus, you can follow these steps to configure Private IP connectivity in your CloudSQL instances. Along with VPC firewall rules and network tags in order to allow/deny specific traffic in/out your GCP project and VM instances.
Every time I destroy my compute instance and create new one, the same ephemeral external IP address is assigned. I haven't used static ip. But always same set of ip addresses is being assigned. How do I get completely random external ip on my instances?
P.S. I use default network interface which is already there in the cloud console.
If an instance is stopped, any ephemeral external IP addresses assigned to the instance are released back into the general Compute Engine pool and become available for use by other projects. When a stopped instance is started again, a new ephemeral external IP address is assigned to the instance. There is no guarantee that you will get a specific IP every time or will get completely different IP address always. You may get the same IP or even could get a completely new IP from the pool. You can find detail at this link.
If your use case is to assign multiple external IP addresses to a single instance, you can set up multiple forwarding rules to point to a single target instance using protocol forwarding.
I'm using aws ec2 instances as web servers.
There are more then 20 web servers and they has to connect to some external services. Those external services has ip based security rules. Because of this reason I have to use a only one or two public ip address to connect those services.
How can i route outgoing traffics to use only one public ip address ?
Yes, you could use a NAT instance for that.
Just make sure your instance is large enough to accommodate the desired throughput.
See: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html