I want to have a VM with multiple internal IPs each with a one-to-one relation to external IP address on a single network interface.
I need to be able to initiate requests from that VM (single process) but need that different requests use different external IPs.
E.g.
10.146.0.3 <> 35.215.6.3
10.146.0.4 <> 35.215.6.6
10.146.0.5 <> 35.215.6.8
I managed to add multiple IPs to a single interface using alias IP ranges but can't find a way to map those extra internal IPs to external IPs.
This can be done quite to be easily done on AWS (took me about 5-10 minutes) as shown here, but after two full days looking around, I still can’t find a way to do this at GCP.
I am not looking for load balancing functionality or for any inbound connection related functionally (my VM acts as an HTTP client, not a server, so I only care about outbound connections). Also, if possible I also want to avoid multiple network interfaces as they are limited by 1 per vCPU and therefore don’t scale well cost-wise (plus all the hassle of having to create new VPCs).
Related questions (which don't quite solve my problem):
How do I setup 1 to 1 NAT in google cloud?
Multiple IP addresses on a single Google Compute Engine instance
How to assign multiple outgoing IPs addresses to a single instance on GCE?
For testing, I am using the following command:
curl -w '\n%{local_ip}\n' --interface <internal_ip> ifconfig.co
Which returns the external IP followed by the internal IP:
52.196.168.76
172.31.24.253
It's possible to add multiple external static IP addresses to a VM instance. Each VM instance can have up to eight network interfaces and you can assign a static external IP to the added interfaces.
However, is not possible to add the same NIC more than one to the same VM Instance and each added NIC subnetwork IP ranges cannot be overlapped. Each internal IP range got to be different1.
You may consider using a VM-appliance2 with multiple external IP addresses, useful for traffic separation as you intend to do.
Related
On GCP, I want to change external IP address of my VM instance several times in a day and in my project VM needs to be assigned new IP address each time. However, regardless of using ephemeral or static IP, when I try to change IP, there are only 3 or 4 different IP addresses. After 4 times change, the loop backs to start so the IP has been assigned before was assigned to VM again.
Is there a way to assign a new IP address to VM each time?
In this scenario you can use protocol forwarding in order to assign multiple/different external IP addresses to a VM instance. Then When traffic is sent to an external IP address that is served by a forwarding rule, the forwarding rule directs that traffic to the corresponding target pool or target instances.
As per document you can create up to 50 forwarding rule objects per project.
I think (don't know) that this isn't possible.
You are being loaned public IPs from Google's pool and, technically these are assigned randomly (you won't always get these IPs) but, over the timeframe you've monitored, you detect there's a pattern and the behavior is insufficient for your needs.
It's unclear why you need random IPs -- I assume random DNS naming won't suffice for your use-case -- you may want to submit a feature request to Google's Issue Tracker
Given that you detect a period of 3-4 IPs, you could temporarily hold these on VM interfaces and, once you obtain a different IP for your app, you could release the others?
I want to use Kubernetes on some clouds (maybe Amazon, Google, etc). Should I disallow my EC2 machines from accessing the external network? My guess is as follows, and I wonder whether it is correct or wrong?
I should disallow EC2 from accessing the external network. Otherwise, hackers can attack my machines more easily. (true?)
How to do it: I should use a dedicated load balancer (maybe Ingress) with the external IP that my domain name is bound to. The load balancer will then talk with my actual application (which has no external IP and can only access internal network). (true?)
Sorry I am new to Ops, and thanks for any help!
Allowing or disallowing your EC2 instances from accessing external networks, ie keeping the rule that allows all outgoing traffic in your security group won't be of much use keeping hackers out, that's what the incoming traffic rules are for. It will, however, prevent unwanted traffic from going out after the hacker has reached your instance and has been able to install whatever malicious software on it, and then it would try to initiate outgoing communication.
That outgoing traffic rule is usually kept to allow things like getting software installs and updates, but it won't affect how your instances respond to incoming requests (legitimate or not).
It is a good idea to have a load balancer in front of your instances and have it be the only allowed point of entry to your services. It's a good pattern to follow, and your instances will not need to have an external IP address.
Having a bastion host is a good idea as well, and use it to manage the instances themselves. And I would also recommend Systems Manager's Session Manager for this task.
I have one instance on Google Cloud Compute engine. By default, it has 1 ephemeral external IP address.
I need to constantly change this external IP, ideally every 1-2 minute.
Is there any way to make this "IP rotation" by running some code?
Also, once new IP assigned, is there any way to get this IP by the code from the previous question and save it in external DB?
Update: Use case is to provide back-connect IP proxy server with IP rotation
This likely can be accomplished with add-access-config. As the documentation reads:
gcloud compute instances add-access-config is used to create access configurations for network interfaces of Google Compute Engine virtual machines. This allows you to assign a public, external IP to a virtual machine.
This lists external IP addresses (and indicates if they're currently assigned):
gcloud compute addresses list | grep external
Adding all IP adresses to a NIC and then rotating the address of a service might be less disruptive.
I want to add multiple routable ip addresses to an ubuntu 14.04 GCP instance. What is the simplest method for achieving this?
Note: External IP addresses are disabled on my gcp instances.
Correct me if I am wrong, but the solution described in this post that uses gcloud routes seems to change the network and firewall configuration to add extra IP addresses to instances. I am looking for a different solution.
I would like to add IP addresses to instances without changing the networks or firewalls of a gcp project at all.
I would like to add random available IP addresses on the current network of a gcp instance and avoid manually assigning an IP address or IP address range to my instances?
I am really looking for a solution that is similar to openstacks nova add-fixed-ip command that does just this. You can find a description of nova add-fixed-ip here: https://ask.openstack.org/en/question/65198/how-to-assign-static-private-ip-address-to-a-running-guest-vm/
I have a single Windows Amazon EC2 instance and one public IP. The instance is running multiple web server EXEs which all sit on port 80. I want to have different domain names which I want to point to each server. On my old dedicated server I achieved this simply by having different public IPs, but with Amazon EC2 I want to keep to just one public IP.
I am not using IIS, Apache, etc. otherwise life would be a lot simpler (I would simply bind hostnames accordingly). The web server executables perform unusual "utility" tasks as part of a range of other websites, but still need to be hosted on port 80. There is no configuration other than address to bind to and port #.
I have setup several private IPs and bound each server application to those private IPs. Is it possible to leverage some of the Amazon networking products to direct the traffic to the correct private IP? e.g. I have tried setting up a private-DNS using Amazon Route53, and internally at least this seems to point to the correct servers - but not (perhaps logically) when I try to access the site externally.
In absence of any other solutions I decided to solve this using the blunt hammer approach and use a reverse proxy. Downside is my servers now only see the user IPs as 127.0.0.1 which was less than ideal, but better than nothing at all.
For my reverse proxy I used Redbird (uses node.js) but Nginx may also be an option. Both are free / open source.