I have an ASP.NET MVC application which we have setup through Elastic Load balancer on AWS which works great.
However to take online payments via Sagepay Direct integration, we have had to setup an Elastic IP on to a 'master' instance. This is because Sagepay will only allow requests from a known IP (or IP range I believe) and as far as I know, you will never know the IP of the instance the load balancer throws you on.
Before you ask, Sagepay will not allow me to add a A or C record :(
I can live with this, BUT as my application gets busier it's a shame I cant load balance the payments system and make use of the cloud facilities (auto scaling, etc)
Any thoughts on how to achieve this scenario?
After following an AWS seminar, I was informed that AWS publish the IP ranges and these can be added to Sagepay.
Here they are for your reference! AWS EC2 IP ranges
Hope that helps!
Related
I have a MERN application with the frontend hosted on Netlify. I currently have the backend hosted at onrender.com. However this is quite slow and so was looking for something with faster load rates.
I have set up an EC2 instance on AWS and it is much faster, but I am struggling to enable HTTPS traffic.
The current setup:
EC2 instance set up and backend running. (I have ran it locally over http and it works fine).
AWS: security groups enabled https
The issue is that when I try to connect over https, it does not work.
I have tried various things including the ACM certificates (I have a certificate for my domain), creating load balancers that would direct to my instance, but I don't seem to succeeding. Admittedly, I don't fully understand what exactly I need to do here.
The outcome I want is to simply interact with the backend, which is on an AWS ubuntu instance, from my frontend over https.
Any help would be greatly appreciated.
if you are going the Load Balancer way, should be fairly simple.
Yes, it is a good idea to use ACM to provision Certificate for you.
Make sure that the Security Groups are well configured
In your case the Load Balancer should accept traffic from port 80 and 443
The Instance security group should be open where you have configured the instance to listen, it depends on your impmenetation
In the target group make sure that you have configured the target port correctly (that is the ec2 open port, where recieves traffic), also make sure that the health check is configured correctly.
I attached a quick summary how this little architecture should look like
our company just moved to a new office and therefore also got new network equipment. Es it turns out, our new firewall does not allow pushing routes over VPN that it first has to look up ip addresses for.
As we all know, amazon aws does not allow static ip addresses for its application load balancer.
So our idea was to simply put a network load balancer in front of the application load balancer (there is a pretty hacky way described by aws itself (https://aws.amazon.com/blogs/networking-and-content-delivery/using-static-ip-addresses-for-application-load-balancers/) that seemed to work fine (even if I don't really like the approach with the lambda script registering and deregistering targets)
So here is our problem: as it turns out, the application load balancer only gets to see the network load balancers ip address. This prevents us to use security groups for ip whitelisting which we do quite heavily. On top of that some of our applications (Nginx/PHP based) also do ip address verification and the alb used to pass the clients ip address as an x-forwarded-for header. Now our application only sees the one from the nlb.
We know of the possibility to use the global accelerator but that is a heavy investment as we don't really need what the GA is trying to solve.
So how did you guys solve this problem ?
Thankful for any help :)
Greetings
You could get the list of AWS IP addresses for the region your ALB is located, and allow for them in your firewall. They do publish the list and you can filter through it https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
I haven't done this myself and I'm unsure if the addresses for ALB are included under the EC2 category of you would take the whole of AMAZON service "to be safe".
Can you expand on this? "We know of the possibility to use the global accelerator but that is a heavy investment as we don't really need what the GA is trying to solve."
GA should give you better, more consistent performance, especially if your office is far away from the AWS Region where the ALB is running
I'm trying to create a setup where all of my (mobile and home) traffic is encrypted and ad-blocked. The idea is to use this setup:
wherein all of my traffic when using the VPN client on my phone or PC is routed through a custom OpenVPN setup running on a AWS EC2 instance. On its way out of the EC2 instance towards the public internet, I want to have a PiHole or equivalent DNS sinkhole filtering requests for blacklisted sites.
It's important that this is configured in such a way that I'm not allowing for a public/open DNS resolver - only traffic coming from through the OpenVPN (and therefore coming from an OpenVPN client that is using one of my keys) should be allowed.
Is this possible? Am I correctly understanding the functionality of all the parts?
How do I set this up? What concepts do I need to understand to make this work?
This tutorial seems like a good place to start. This is using lightsail not EC2, but if you aren't planning to scale this up much that might be simpler and cheaper.
I am looking to build a scalable REST webservice on the Google Cloud Compute Engine but have a couple of requirements that I am not sure how best to implement.
Structure so far:
2 Instances running a REST webservice connected to a MySQL Cloud database.
(number of instances to scale up in the future)
Load balancer to split request between the two or more Instances.
this part is fine.
What I need next is that the traffic (POST requests from instances to an external webservice) must come from a single IP address. I assume these requests can not route back through the public IP of the load balancer?
I get the impression the solution to this is to route all requests from instances though a 3rd instance running squid. Is this the best way to do this? (side question)
Now to my main question:
I have been reading about ApiAxle which sounds like a nice proxy for Web Services, giving some good access control, throttling and reporting capabilities.
Can I have an instance running ApiAxle followed by a google cloud Load Balancer which shares the request from the proxy to the backend instances that do the leg work and feed the response back through the ApiAxle proxy, thus having everything though a single IP visible to clients using the API? (letting me add new instances to the pool to add capacity.)
and Would the proxy be much of a bottle neck?
Thanks in advance.
/Dave
(new to this, so sorry if its a stupid question because I cant find anything like this on the web)
Sounds like you need to NAT on your outbound traffic so it appears to come from one IP address. You need to do that via a third instance since Google LB stack doesn't provide this. GCLB works only with inbound connections on the load-balanced IP.
You can setup source-NAT using advanced routing, or you can use a proxy as you suggested.
We are using Amazon EC2 services to host our play application on live. I have a quite important problem with Elastic Load Balancer. In my application I need request remote address and I am using play framework controller's request.remoteAddress property for it. However on Amazon it is stored always as load balancers ip address which is misleading us as we cannot track request remote address.
Is there something like a setting in Amazon ELB Configuration for forwarded requests? In Apache i think there is a solution for that but I have skimmed through ELB documentation and could not find any clue.
i think you can use this when you a behind an proxy or load balancer:
String ip = Http.Request.current().headers.get("x-forwarded-for")
I think I found an elegant solution that Play Framework have a support such as XForwardedSupport. I am planning to test it in a short while.
Details of XForwardedSupport is here