Exclude cloud run from outer internet - google-cloud-run

I have backend and google endpoints service (both on cloud run). Endpoints service provides information from backend for authorized users. I want to make backend not accessible from outer internet. There are possibility to allow only inner connections by setting Ingress -> Allow internal traffic only. If I do that my endpoints service can't reach backend. All endpoints and backend connected to the same VPC. How can I exclude backend from outer internet? how I want it be

You have 2 solutions:
Continue to expose your backend service to the internet but make it secures (IAM protected service, deployed with --noallow-unauthenticated option). However, grant only the service account of your endpoint service to reach the backend. Like that all the unauthenticated and the unauthorized traffic will be filtered by GFE (Google Front End) and discarded automatically. Only allowed traffic will reach the backend. That solution has the advantage to allow you to also test the backend in case of issue for example, with the correct permissions.
The second solution is exactly what you want:
Set the backend ingress to internal only
Create a serverless VPC connector, add it to the endpoint service with the egress control to ALL.
Like that, all the traffic of the endpoint will be routed through the VPC connector, land in your VPC and then, internally access your backend. Why egress=all?? Because, even if you set your backend ingress to internal, the Cloud Run URL is still public (but an additional check is done to be sure that the traffic comes from your VPC, it's named authenticated network traffic)
At the end, it's always authentication based (on network source or on service account identity). The serverless VPC connection costs about $17 per month

Related

Restrict access to Microsoft Graph based on IP

I'm using Microsoft Graph API to access data from my Azure AD, including adding and updating users.
Is there any way I can limit access to the Graph API based on the client's IP? So that requests originating from a specific IP or an IP range will be served, and the rest will be blocked?
As far as I understand, Graph API deployment https://graph.microsoft.com is a public API that is protected by Azure AD. As long as you have a valid access token you are able to call the API and do what the access token says you are allowed to do regardless of where you are. This means access restriction can only be done at Azure AD level during authorization.
If you apps are user interactive then you can try using Azure AD Conditional Access Location Condition.
For daemon apps that run on server-side, this case may not apply because they run behind your trusted networks in most cases.

Achieve country level blocking while using azure traffic manager and azure application gateway with WAF

We have used azure traffic manager and azure application gateway with a Web application firewall for MVC C# web Application which hosted on the Azure virtual machine.
For security reasons, we need to allow specific IP addresses and block access at the country level.
But, We are unable to find a way to block access at the country level and also allow specific IP addresses from that country.
Can you please guide a way/ feasibility to achieve this?
Does it need any other azure service or can be it achieved with existing services/configuration.
We are unable to find a way to block access at the country level and
also allow specific IP addresses from that country.
From the network connectivity, the IP address only identifies the terminal device location. Also, the device location from a country is included in that country level. If you select to block some countries (for example, you can look at geo-filtering with WAF for Azure Front Door) but this will block all IP addresses from that country as the WAF should work in front of the web app service or application gateway. So I don't think it's possible.
In fact, what you want is to allow some specific IP addresses, you can simply allow those IP addresses in the inbound rule of NSG which is associated with an application gateway subnet and whitelist your application gateway subnet in the NSG rule of backend Azure VMs without any other internet access. It will only allow that IP address to access your backend application through Azure Application Gateway. Read more details from this blog.

IP filtering on Google Cloud run

I have an Angular web app i want to deploy using Google Cloud run. However I need the app be visible only from a list of predefined IP addresses.
Can I simply set the ip allow/deny rules under Google cloud platform firewall or do I need another method?
Thanks in advance,
Nico
Google is clear about this point:
Don't trust the network
By the way, the Google top priority in development don't rely on IP origin but on token for identity and authorization.
For Cloud Run, you have Google Front End (GFE) which act as proxy, check the authentication (in case of private Cloud Run), ensure that the SSL certificate is deployed and valid,... It's not possible to customize it with IP filtering
Even if you plug a Endpoint (ESP) gateway in front of your Cloud Run service, it is not possible to filter on IP among all the security method. The easiest for your should be to use API key, I wrote an article on this
In the futur, Cloud Run will be compliant with Loadbalancer. Not sure that will be enough for filtering IP.
All of this for telling you that, if you want to implement IP filtering in top of Cloud Run (and Cloud Function), you have to implement it by yourself.
There is currently no way to make Cloud Run accessible only for certain IPs.
However, Cloud Run services are deployed privately by default and are secured by IAM.
If you need to authenticate users, the provided ways are to use Google Sign-In or, should you want to use other credentials, Identity Platform or Firebase Authentication

Don't allow direct calls to Microservices. Only allow through Zuul API Gateway

I have created multiple microservices like movie-catalog-service, movie-rating-service and movie-info-service.and also created "ZULL API Gateway".
All the request are allowed from the Zuul API Gateway. I want to stop the users from direct access the URL of individual services.
Is there a way to stop users from directly accessing the services mentioned in A and B (only allow the ones that come through the API Gateway)

Restrict access of the back-end pool form application gateway public ip

I have mapped the DNS of application gateway (v2) to the public domain registry and I am able to access the backend pool (web app) from the public domain (mydomain.com). But I am also able to access the web app from DNS/IP of application gateway.
I want to restrict the access of web app from the DNS/IP of application gateway.
thanks,
regards
Sakaldeep
If I'm understanding you correctly, you want to access the web app only from the DNS/IP of application gateway. If so, you could add an access restriction rule to your web app.
You could open Network>Access Restrictions and click on Configure Access Restrictions in your app service on the Azure portal. Ref: adding and editing Access Restriction rules in the portal. You can click on [+] Add to add a
front-end IP address of application gateway in the access restriction rule.
If you only want to access the web app from the public domain (mydomain.com) but not from the IP/DNS of application gateway, but still the traffic should go through application gateway (domain->App GW->Web App) then configure Multi-site Listener even you have only one site.
You will see below when you hit through IP/DNS of application gateway but still able to access through the domain. Also, configure restriction at the web app level.
404 Not Found

Resources