I'm trying to create a single outbound IP to multiple compute engines in different Google projects.
The reason I want to do this is a third party service that needs whitelist in order to work and every addition of IP to its whitelist cause restart.
Tried first to think of a Google NAT, but the solution is unclear in a case of multiple projects.
Can you help me solve this issue
Google NAT will provide you with a single public IP address for instances with only a private IP address in the same subnet of the same project.
This means that you cannot use NAT to provide a single public IP address to represent instances in more than one project.
The only method that I know of is to setup multiple VPNs with your data center and route all traffic for these instances to your data center via the VPN and then out to the public Internet. Your data center router's public interface will be the IP address that is whitelisted.
Related
I have a application on EC2 Instance which connects to a website (github.com) to download application repository (say thrice a week or bit more frequently).
I like to block the access to my VPC using NACL; So no traffic other than from this website github.com (keeping in view that NACL are stateless) can go through.
The issue i am facing is that i cannot whitelist a website using NACL; since the IP based approach is not workable (the IP's are always changing).
Can someone suggest a better solution or a fix that we can apply here.
NACL cannot resolve DNS as this requires further OSI layer that has information about the HTTP protocol details.
One option you can do here is to place your EC2 instance behind a NAT gateway, thus effectively placing it in a private subnet and it would translate to an IP that will not change when facing the public internet such as an Elastic IP. In this way, you will be able to protect your EC2 instances while referencing a consistent IP address.
Another option is to use ssh-keygen to generate a public and private key pair which you will then copy over to the respective git repo (SSH key), then block any other protocols and traffic after establishing that one-to-one trust. A more secured version of this is tackled nicely in this post: EC2 can't SSH into github
How to access instance in a different project without using external IP
I have two projects, say A and B, and I want to ssh from a instance in project-A to a instance in project-B.
What I found is that I was able to ping the instance in B using its eternal IP from the instance in A, not its internal IP. After I add my public key to the instance in B, I was able to ssh to it using its eternal IP from the instance in A(I have my private key here).
I wonder if I can access project B instance from, project A instance without going through external IP as it will go out of the GCP and comes back. Is there a way that I could do this internally?
Both project A and B are under the same gcp account.
Google VPC's use RFC 1918 IP addresses. These addresses are not routable across the Internet. VPC's can use the same address range in more than one VPC.
If your VPCs are not using overlapping IP addresses, you can enable VPC Network Peering to connect the two VPCs together. You can then use private IP addresses to access resources in each VPC subnet.
Google VPC Network Peering
As I understand it, your could create a shared VPC and have your Compute Engines in your distinct projects have network interfaces to this shared VPC. They would then be able to access each other directly. For full details on shared VPC, see GCP Shared VPC.
Another solution would be to use GCP VPC Peering which allows two distinct but NOT overlapping networks to connect to each other using the GCP VPC Peering capabilities.
There is so much to say about these concepts it doesn't seem to make sense repeating that here. I encourage you to read the docs in the links above and post new specific questions as needed.
I have few virtual machines on the cloud of Google.
My virtual machine running an application that connect to database server. The database server is protected with two types of authentications:
Password
IP addresses white-list
My problem is with - IP address. I need to define the allowed IPs manually on my database, in order to allow them to connect. Since I not controlling the external IP address (the changed dynamically), I looking to other solution.
Found this script to get the whole range of Google IPs. But as the script writer said - this range of IP is changing in high frequency. Which is big problem - I can't trust this kind of solution.
It sound like I facing common problem - What to do?
You could in a more simple way use private ip in your CloudSQL.
This way your instances will be using their internal ip and not the external IP and as you should have defined a VPC you have full control over the range you should allow.
In addition, please note you get the following benefits using private IP to connect to Cloud SQL:
Lower network latency: Private IP provides lower latency than public IP.
Improved network security: Private services access traffic is never exposed to the public Internet.
Plus, you can follow these steps to configure Private IP connectivity in your CloudSQL instances. Along with VPC firewall rules and network tags in order to allow/deny specific traffic in/out your GCP project and VM instances.
This has probably been answered elsewhere but I can't seem to find it!
I have a number of AWS EC2 instances that I am using as part of a project being built and I am now looking into securing the setup a bit. I want to lock down access to some of the ports.
For example I want to have one of the instances act as a database server (hosting mysql). I want this to be closed to public access but open to access from my other EC2 instances on their private IP's.
I also use the AWS auto-scaler to add/remove instances as required and need these to be able to access the DB server without having to manually add its IP to a list.
Similarly if possible I want to lock down some instances so that they can only accept traffic from an AWS Load Balancer. So port 80 is open on the instance but only for traffic coming from the Load Balancer.
I've looked at specifying the IP's using CIDR notation but can't seem to get it working. From the look of the private IP's being assigned to my instances the first two octets remain the same and the last two vary. But opening it to all instances with the same first two octets doesn't seem that secure either?!
Thanks
What you want to do is all pretty standard stuff, and is extensively documented in the AWS VPC documentation for Virtual Private Clouds. If your EC2 instances are not running in a VPC, they should be.
The link below should help, it seems to be your scenario:
Scenario 2: VPC with Public and Private Subnets (NAT)
The configuration for this scenario includes a VPC with a public
subnet and private subnet, and a network address translation (NAT)
instance in the public subnet. A NAT instance enables instances in the
private subnet to initiate outbound traffic to the Internet. We
recommend this scenario if you want to run a public-facing web
application, while maintaining back-end servers that aren't publicly
accessible. A common example is a multi-tier website, with the web
servers in a public subnet and the database servers in a private
subnet. You can set up security and routing so that the web servers
can communicate with the database servers.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
I'm using aws ec2 instances as web servers.
There are more then 20 web servers and they has to connect to some external services. Those external services has ip based security rules. Because of this reason I have to use a only one or two public ip address to connect those services.
How can i route outgoing traffics to use only one public ip address ?
Yes, you could use a NAT instance for that.
Just make sure your instance is large enough to accommodate the desired throughput.
See: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html