Version 2 App service environment gives 1 outbound IP
But with ver,3 isolated App service Environment I get 2 outbound IP.
background : I need to whitelist the outbound IP, and I would prefer to just whitelist 1 IP instead of 2.
Can i delete one of the outbound IP?
With isolated, seems like i cannot use virtual network NAT gateway to direct traffic through a static public IP address (app service
vnet integration is greyed out)?
Thanks, Peter
Can i delete one of the outbound IP?
There are 2 outbound IPs because there are 2 load balancers in the infra vnet for ASEv3. One IP is for the infra roles (Multi,FE, etc) and the other is for the workers outbound connection. We provide both as outbound ips because outbound traffic could come from the workers (in the case of app outbound traffic) or from the infra layer (like getting KV references in custom dns suffix).
Below is an ASEv3 architecture diagram.
You should account for both IPs or you may run the risk of blocking necessary traffic.
With isolated, seems like i cannot use virtual network NAT gateway to
direct traffic through a static public IP address (app service vnet
integration is greyed out)?
For more details see: https://learn.microsoft.com/en-us/azure/app-service/networking/nat-gateway-integration
Related
There is a VPC connector enabled Route all traffic through the VPC connector and a firewall rule to allow all egress traffic for the VPC. Still, I am not able to connect to the RabbitMQ instance(cloudamqp) due to timeout.
I realized that the issue is about using Cloud Run VPC accessor for all traffic without a NAT gateway. After creating a NAT gateway for the related VPC, the issue resolved.
Using the VPC accessor for only the internal traffic can also help in this case. But, if you need to use static IP to route outbound requests to external endpoints then you have to use Cloud Run + all traffic through VPC Accessor + NAT.
We use Docker containers to deploy multiple small applications on our servers that are reachable on the public internet. Some of the services need to communicate to each other, but are deployed on different servers, due to different hardware requirements (the servers are on different network and different IP).
Q: What would be the best way to configure blocking of incoming requests to SERVER:PORT except for some allowed IPs and at the same time allow all outgoing connections of the Docker containers?
Two major things we played with and tried out to get them working:
Bound Docker port mappings to 127.0.0.1 and route every traffic through an nginx. This is really config heavy and some infrastructure components aren't possible to proxy via http(s), so we need to add them to nginx.conf stream-server block and therefore open a port on the server (that is accessible by everyone).
Use iptables to restrict access to the published ports. So something like this: iptables -A INPUT -I DOCKER-USER -p tcp -i eth0 -j DROP. But this also have 2 major downfalls. First it seems that it's quite hard to allow multiple IP adresses in such a construct and on the other hand this approach seems to block our docker outgoing connections (to the internet) as well. E. g.: After we activated it a ping google.com from within a docker container was rejected.
Not sure I get this. In term of design, what is available to the external world is in a DMZ or published through an API gateway.
Your docker swarm/kubernetes cluster shall not be accessible directly through the internet or only the API gateway or the application on the DMZ.
So quite likely your docker server shall not be accessible directly. And even if that is the case, if you don't explicitely export a port to the host/outside of the cluster, it stay restricted to the virtuals networks of docker to allow cross container communication.
I need to know all of Google's IMAP subnet addresses so I can allow bidirectional traffic on my company's firewall between ALL of Google's IMAP subnets and a specific internal client.
I've executed the command nslookup imap.gmail.com and received the following IP addresses in the results:
108.177.122.108
108.177.122.109
74.125.21.108
74.125.21.109
74.125.136.108
74.125.136.109
I want to make sure that I don't miss any IP addresses/subnets when I create the firewall rule on my company's firewall.
I have a API that has whitelisted IP addresses that are able to access it. I need to allow all AWS Elastic beanstalk EC2 instances to be able to access this API. So i need to either through VPC or Load Balancer settings configure a static IP or IP range x.x.x.x/32 that i can have whitelisted.
Im lost between the VPC, Load Balancer, Elastic Beanstalk, ETC. Need someone to break it down a bit and point me in the right direction.
Currently the load balancer is setup for SSL and this works correctly.
Thank you for your time
You can setup a NAT Gateway and associate an Elastic IP address in your VPC. Configure the routing from subnets to use the NAT Gateway for egress traffic. Then from your API side, you only need to whitelist the Elastic IP address of your NAT Gateway.
Check this guide for more details.
The best way to accomplish this is to place your EB EC2 instances in a private subnet that communicates to the Internet via a NAT Gateway. The NAT Gateway will use an Elastic IP address. Your API endpoint will see the NAT Gateway as the source IP for all instances in the private subnet, thereby supporting adding the NAT Gateway EIP to your whitelist.
To quote Amazon, link below:
Create a public and private subnet for your VPC in each Availability Zone (an Elastic Beanstalk requirement). Then add your public resources, such as the load balancer and NAT, to the public subnet. Elastic Beanstalk assigns them a unique Elastic IP addresses (a static, public IP address). Launch your Amazon EC2 instances in the private subnet so that Elastic Beanstalk assigns them private IP addresses.
Load-balancing, autoscaling environments
You can assign Elastic IP addresses to ELB instances.
First you need to create a number of Elastic IP addresses. They will be unassigned by default.
The actual assignment can be triggered from the "User data" script that you can specify when creating a Launch Configuration for the ELB. The following two lines of code in the user data script should assign an IP:
pip install aws-ec2-assign-elastic-ip
aws-ec2-assign-elastic-ip --region ap-southeast-2 --access-key XXX --secret-key XXX --valid-ips 1.2.3.4,5.6.7.8,9.10.11.12
The list of --valid-ips should be the list of IPs you created in the beginning.
I have a silverlight->server communication system up that uses port 4530 among others. I've used no-ip.org to redirect traffic to my home server. Is there anyway to use no-ip (or is there another service like it?) to allow me to ping off an ip at port 4530 etc, and send it to my dynamic ip?