I have few virtual machines on the cloud of Google.
My virtual machine running an application that connect to database server. The database server is protected with two types of authentications:
Password
IP addresses white-list
My problem is with - IP address. I need to define the allowed IPs manually on my database, in order to allow them to connect. Since I not controlling the external IP address (the changed dynamically), I looking to other solution.
Found this script to get the whole range of Google IPs. But as the script writer said - this range of IP is changing in high frequency. Which is big problem - I can't trust this kind of solution.
It sound like I facing common problem - What to do?
You could in a more simple way use private ip in your CloudSQL.
This way your instances will be using their internal ip and not the external IP and as you should have defined a VPC you have full control over the range you should allow.
In addition, please note you get the following benefits using private IP to connect to Cloud SQL:
Lower network latency: Private IP provides lower latency than public IP.
Improved network security: Private services access traffic is never exposed to the public Internet.
Plus, you can follow these steps to configure Private IP connectivity in your CloudSQL instances. Along with VPC firewall rules and network tags in order to allow/deny specific traffic in/out your GCP project and VM instances.
Related
I have a application on EC2 Instance which connects to a website (github.com) to download application repository (say thrice a week or bit more frequently).
I like to block the access to my VPC using NACL; So no traffic other than from this website github.com (keeping in view that NACL are stateless) can go through.
The issue i am facing is that i cannot whitelist a website using NACL; since the IP based approach is not workable (the IP's are always changing).
Can someone suggest a better solution or a fix that we can apply here.
NACL cannot resolve DNS as this requires further OSI layer that has information about the HTTP protocol details.
One option you can do here is to place your EC2 instance behind a NAT gateway, thus effectively placing it in a private subnet and it would translate to an IP that will not change when facing the public internet such as an Elastic IP. In this way, you will be able to protect your EC2 instances while referencing a consistent IP address.
Another option is to use ssh-keygen to generate a public and private key pair which you will then copy over to the respective git repo (SSH key), then block any other protocols and traffic after establishing that one-to-one trust. A more secured version of this is tackled nicely in this post: EC2 can't SSH into github
Is it possible to set up a static IP address or range of IPs for server requests to external dbs and web services?
We have a web app running on Google Compute Engine managed instance group. We want to lock down access to our db to specific IP addresses. However the server IPs on the managed instance group are stateless, and the IPs change with each update to the web app. Is it possible to assign a static IP/range of IPs to our outbound server traffic?
We've investigated NAT Gateways, and VPC Peering a bit, but it doesn't seem to exactly fit our requirements. It's kind of a 'load-balancer for outbound server traffic' or something that would seem to fit what we're looking for...
Any advice greatly appreciated.
A use case would be where the IG has to connect back to private cloud that is firewall managed. Having the IG draw from a pre-set 'range' of IP's would be useful to security teams.
The security team could pre-program a range of IP's that the scalable IG would draw from.
This way the IG would draw from a present and preconfigure (on the privCloud FW) range of IPs when it scales up.
I think you can not directly make static IP's during the creation of a Managed Instance Group or by specifying them in an Instance Template. The IP's will be set as ephemeral at first.
By going to VPC Network -> External IP Addresses you can reserve IP's/easily promote them to static IPs and assign them to the specific VM's you wish.
This is a good explanation on how reserving IP's for GCE works.
You can also reserve Static Internal Addresses if you so wish.
Hope this helps.
Locking down access to specific IP's is not a good idea if you have GCP managed instance group. As of now, there is no option for giving static external ips for managed group instances. If you do so also it will be meaningless because of the autoscaling behavior.
I recommend you look into this link if you are using CloudSQL managed service from GCP for DBs.
Also if you are using non-managed/external DB use Nginx proxy
I'm trying to limit ssh access to a google cloud vm instance by using the firewall in "VPC Network". I only want to be able to access the vm when I'm on my university's wifi. I've added the DNS server IP addresses (listed here: https://accc.uic.edu/service/uic-net) but once I add them to the firewall I lose access even when I'm on them.
snapshot of firewall impl
*I've even tried using my specific machine IP address with no luck (even though I want the whole network to have access, not just my machine)
Adding the DNS server IP address to a Google VPC firewall rule will not enable access from your network. You need to know your network's public IP CIDR block and use that for the firewall.
From the document link that you provided, your network is using two netblocks: 131.193.0.0/16 and 128.248.0.0/16. Verify that the network you are connecting within uses one of these CIDR blocks. Go to any website that supports "What is my IP" such as https://www.whatismyip.com/
Then create a firewall rule specifying:
Direction of traffic: Ingress
Action on match:
Allow Source filter: IP ranges
Source IP ranges: 131.193.0.0/16, 128.248.0.0/16
Protocols and ports: Allow all
I have two vnets that are connected using a gateway. VnET1 and VNET2. VNET2 has a VM which hosts a mongodb instance. I have a webjob running within an App service environment which is deployed into a subnet within VNET1. From this subnet i am able to access the VM in VNET2 with its DNS. But i am unable to access the VM's internal IP. Any suggestions are welcome.
An internal IP address is internal to a VNET, and VNETs are isolated from one another by design. See this site for a good overview.. https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-overview/. If you want to connect internally you might want to consider having multiple subnets within the same VNET instead.
At present, connecting two vnets using a gateway allows IP communication but doesn't allow DNS name resolution. In this scenario we recommend managing a local DNS server. This page shows the requirements for using your own DNS server in Azure.
Hth, Gareth
This has probably been answered elsewhere but I can't seem to find it!
I have a number of AWS EC2 instances that I am using as part of a project being built and I am now looking into securing the setup a bit. I want to lock down access to some of the ports.
For example I want to have one of the instances act as a database server (hosting mysql). I want this to be closed to public access but open to access from my other EC2 instances on their private IP's.
I also use the AWS auto-scaler to add/remove instances as required and need these to be able to access the DB server without having to manually add its IP to a list.
Similarly if possible I want to lock down some instances so that they can only accept traffic from an AWS Load Balancer. So port 80 is open on the instance but only for traffic coming from the Load Balancer.
I've looked at specifying the IP's using CIDR notation but can't seem to get it working. From the look of the private IP's being assigned to my instances the first two octets remain the same and the last two vary. But opening it to all instances with the same first two octets doesn't seem that secure either?!
Thanks
What you want to do is all pretty standard stuff, and is extensively documented in the AWS VPC documentation for Virtual Private Clouds. If your EC2 instances are not running in a VPC, they should be.
The link below should help, it seems to be your scenario:
Scenario 2: VPC with Public and Private Subnets (NAT)
The configuration for this scenario includes a VPC with a public
subnet and private subnet, and a network address translation (NAT)
instance in the public subnet. A NAT instance enables instances in the
private subnet to initiate outbound traffic to the Internet. We
recommend this scenario if you want to run a public-facing web
application, while maintaining back-end servers that aren't publicly
accessible. A common example is a multi-tier website, with the web
servers in a public subnet and the database servers in a private
subnet. You can set up security and routing so that the web servers
can communicate with the database servers.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html