I have recently started exploring the Google Cloud Platform Cloud Load Balancer and Cloud CDN products.
I am interested in setting up a load balancer to accept requests from multiple customer-pointed domains and map to an internal service.
Currently, I am creating multiple front-ends for the load balancer which feature a single domain and one or more SSL certificates. This creates a new ephemeral IP address per front-end that customer domains can be pointed to via A records.
Instead, I would like to allow customers to point their domains to my service using CNAME records.
eg. demo.customerdomain.com -> CNAME service.mydomain.com.
Can anyone help me figure out the best way to do this?
I am not sure what benefits/risks this has in terms of security or caching, so if anyone has any input on that, I would be interested to hear it.
Thanks,
I'm running a backend app with several endpoints on Cloud Run(fully-managed). My endpoints are publicly available by its nature so I don't want to authenticate users through my client app hosted on Netlify.
What I do need is to restrict access to my endpoints so that other applications or malicious users can't abuse it. It is not about scaling, I just don't want to exceed the Free Tier limits since it is a demo of an opensource application.
I've already set the concurrency and max instance limits to minimum but this alone is not enough. There is also a product named Google Cloud Armor but it seems an expensive one, not free.
I was expecting to have a simple built-in solution for this but couldn't find it.
What other solutions do I have? How can I block the traffic coming out of my website on Netlify?
You don't have a lot of solution:
You don't want to authenticate your users -> so you need to rely on the technical layers
Netlify is a serverless hosting platform, you don't manage servers/IPs -> So you need to rely on the host name
To filter on the host name, you can use 2 products
External HTTPS only (about $15 per month) with url path matching.
Default URL land on a dummy service
Only request where the host matches your netlify host name are redirected to your backend
Use Cloud Armor on top of External HTTPS load balancer ($15 + Cloud Armor policy x traffic volume). The time, the load balancer redirect the default URL to the correct backend and Cloud Armor check the request origin.
The problem is that this weak solution is easy to overpass. Perform a simple curl with the host as header, and HTTPS Load Balancer and Cloud Armor think that is the correct origin
curl -H 'Host: myNetlifyHost.com' ....
The highest protection is the authentication. Google Cloud itself say: "Don't trust the network".
I want to use a GCP load balancer to terminate HTTPS and auto manage HTTPS cert renewal with Lets Encrypt.
The pricing calculator gives me $21.90/month for a single rule. Is this how much it would cost to do HTTPS termination for a single domain? Are there cheaper managed options on GCP?
Before looking at the price, and to another solution, look at what you need. Are you aware of Global Load balancer capabilities?
It offers you a unique IP reachable all over the globe and route the request to the region the closest to your user for reducing the latency. If the region is off, or the capacity of your backend full (health check KO), the request is routed to the next closest region.
It allows you to rewrite your URL, to manage SSL certificates, to cache your file into CDN, to scale with your traffic, to deploy security layer on top of it, like IAP, to absorb the DDoS attack without impacting your backend.
And the price is for 5 forwarding rules, not only one.
Now, of course, you can do differently.
You can use regional solution. This solution is often free or affordable. But you don't have all the Global load balancer feature.
If your backend is on Cloud Run or App Engine. Cloud Endpoint is a solution for Cloud Function (and other API endpoints).
You can deploy and set up your own nginx with your SSL certificate on a compute engine.
If you want to serve only static file, you can have a look to Firebase hosting.
I have a multiple sites for various location like UK,BE,US etc... If i use the US site it need to be hit only US region server only. Like wise UK means UK server etc.. Is this possible to achieve using AWS server.
What I think you need is Geolocation routing. The AWS documentation for this is found here.
En excerpt from this page is:
Geolocation routing lets you choose the resources that serve your traffic based on the geographic location of your users, meaning the location that DNS queries originate from. For example, you might want all queries from Europe to be routed to an ELB load balancer in the Frankfurt region.
I have create a LAMP based service on a shared hosting provider. It has now grown and I want to move it on AWS EC2. I have already ported the code and the data, set up ESB for the persistent content, set up an AMI image that boots up fine and has tested the solution on EC2.
I want now to redirect my DNS to the EC2 instance(s) IP. I have asked my shared hosting provider if they can redirect the TLD record (domain.com) to this IP, but they say they can only redirect safely a subdomain (like www.domain.com) because the cPanel breaks if the TLD is redirected. I'm not sure I follow the problem details, but it looks like I have to rent a DNS solution.
What alternatives do I have? I think DynDNS.com is one solution (or a similar service), what else? Or, amongst commercial DNS services, what are good choices in terms of reliability, quality of service, quality of support etc?
Seems on you have one foot on the ship and on one the shore! But the good news is you're almost there!
I suggest leaving your shared host. If they are unable to support you with such a request, it's a good sign you've outgrown the service. There are a few options for you to consider.
First of all, when moving web hosting from shared to AWS, you also need to consider what to do with the DNS, email and cPanel services. I use AWS for web hosting, but separate providers for DNS and email. I don't use cPanel - I just configure DNS and the web server manually. This keeps things much simpler and much more flexible, and the only extra cost is a bit of time to configure DNS separately. cPanel, Plesk and similar systems add a lot of unnecessary complexity into Apache and I find this causes problems later.
Though, if you want to keep cPanel, you might consider installing it or some other web-based management system on AWS. (I'd bet you'd find a prebuilt AMI for this if you look around.)
I'm not sure about running a DNS server on AWS, but I think it would be much easier and more reliable to use a DNS service.
EasyDNS.com and No-IP.com are both great DNS hosts - I've used No-IP for my enterprise AWS web hosting for over 2 years. (It is particularly good because they offer monitoring, and automatic and manual DNS failover in case there's a problem. But, that may be more than you need.) I've used EasyDNS for 4 or 5 years. Both services have solid support and are very reliable.
If you want something free, MyDomain.com has been very reliable for me for almost 10 years, but support is very slow. MyDomain will host your DNS for free even if you didn't register the domain with them.
One last consideration in addition to these: Amazon also offers Elastic IPs, which is basically a static IP for your web server instance. Using this will make your DNS much simpler, give you flexibility to easily change to a new instance in the future, if you ever need to. I strongly recommend using an Elastic IP.
I've used EasyDNS, their DNS rates are reasonable and always been fast to help.
https://dns.he.net/ - free for up to 50 domains. Supports IPv6 AAAA records, custom TTL and has convenient management interface.
The life cycle of a web request has many pieces. I will try to explain the individual pieces so you can fill in the blank according to how you best see fit.
Domain registration (could be your current host, or someone else)
Where does this domain point to ? i.e which server answers requests forwarded to this domain? (this is determined by DNS records i.e in your case A record should point to the server). You most likely need to modify this.
Previously, you were using your host, so most likely in DNS the A entry pointed to their server. Like SaintSal mentioned easiest way is to change it to the elastic IP you get from AWS. I don't know why your host does not allow modification of TLD, but it shouldn't break cpanel. [perhaps if you have been with them for more than 90days, you can transfer your registration to another provider - I personally use dreamhost. With dreamhost, such a setup is a breeze. The only thing I have with dreamhost is the domains. They are hosted with rackspace and aws]
At the end of it, you will still have domain registration (not hosting) with your current host, but web hosting on AWS.
If you want to make things more complicated, your DNS hosting could be another service. In this case, you will need to change the DNS servers with your domain registrar to a third party such as DynDNS or others.
The DNS servers will resolve a request to example.com into an IP such as 11.11.11.11. In your case, this should be the AWS elastic IP. In order to make this work, your domain registrar will have DynDNS servers as DNS servers. DynDNS will have A record pointing to your elastic IP.
I hope I am not confusing you.
good luck. You are mostly there. just need a few settings here and there :)