I have a K8s cluster that should whitelist a Cloud Run server, so I would like to know the IP address or IP range of the Cloud Run server.
As found here:
https://github.com/ahmetb/cloud-run-faq#is-there-a-way-to-get-static-ip-for-outbound-requests
Is there a way to get static IP for outbound requests?
Currently not, since Cloud Run uses a dynamic serverless machine pool by Google and its IP addresses cannot be controlled by Cloud Run users.
However, there is a workaround to route the traffic through a Google Compute Engine instance by running a persistent SSH tunnel inside the container and making your applications use it.
Related
I have a python application running in a docker container in Google Cloud Run.
I have a VM instance which hosts a MongoDB instance. I need my python application, which is running in a docker container to access the database in the VM.
So far, it only runs in a Connection refused error. I "probably" understand that this is because it is not able to recognize the outside IP address. How do I make the application in the docker container access the outside world?
Edit: The problem was not with container not being able to access the outside world. The problem was that the "internal IP address" was not reachable. The solution, as suggested by #guillaumeblaquiere was to create a Serverless VPC Connector.
Posting #guillaume blaquiere comment for visibility:
Use a serverless VPC connector and access to your VPC through it.
As stated in the edit:
The problem was not with container not being able to access the outside world. The problem was that the "internal IP address" was not reachable.
See also:
Connect to a VPC network
Configure private access to MongoDB Atlas with Serverless VPC Access
I'm using GKE for deployments.
Edit: I need to access a customer's API endpoint which is only accessible when using their VPN. So far I can run a container which connects to this VPN and I can cURL the endpoint successfully.
For the above, I have configured a Debian docker image which successfully connects to a VPN (specifically, using Kerio Control VPN) when deployed. Whenever I make a net request from this container, it runs through the VPN connection, as expected.
I have another image which runs a .NET Core program which makes necessary HTTP requests.
From this guide I know it is possible to run a container's traffic through another using pure docker. Specifically using the --net=container:something option (trimmed the example):
docker run \
--name=jackett \
--net=container:vpncontainer \
linuxserver/jackett
However, I have to use Kubernetes for this deployment so I think it would be good to use a 2-container pod. I want to keep the VPN connection logic and the program separated.
How can I achieve this?
Each container in pod have shared network resources. If you run vpn client in one container them all containers in this pod will have access to network via vpn.
Based on your comment I think I can advise you two methods.
Private GKE Cluster with CloudNAT
In this setup, you should you use Private GKE cluster with CloudNAT for external communication. You would need to to use manual externalIP.
This scenario is using specific externalIP for VPN connection, but it's required from your customer to whitelist access for this IP.
Site to site VPN using CloudVPN
You can configure your VPN to forward packets to your cluster. For details you should check other Stackoverflow threads:
Google Container Engine and VPN
Why can't I access my Kubernetes service via its IP?
I'm using a similar approach. I have a Django app for whose static files to be served files I need nginx. I want the app to be accessible through VPN for which I'm using OpenVPN.
Both the nginx container and the django container are in the same pod. My limited understanding is that it would be enough to run VPN in the background in the nginx container and it should successfully route requests to the backend using localhost because they're in the same pod.
But this doesn't seem to be working. I get a 504 Time-Out in the browser and the nginx logs confirm that the upstream timed out. Have you done anything extra to make this work in your case?
I have successfully deployed Openshift all in one cluster using the client
tools provided in git hub.
./oc cluster up
And I also build a WordPress web site and a MySQL database for it. Both are working fine and now I want to access the web site via a local IP address in my network. So others can access my web site in the Openshift. I don't know how to do this. Tried as much as I can, cannot edit the master-config file as it is resides on docker container, when restarted it is gone, please help
thank you
You can bring up the cluster using your IP address
something like:
oc cluster up --public-hostname=192.168.122.154
Check
oc status
once the cluster is up and use the URL to access.
I am using Liberty inside Bluemix Docker container groups. I want to integrate on premise monitoring tools with these container groups to monitor Liberty JMV.
Using rest adopter, I can do this when we have one member in the group, but not with more than one member in the group as the JMX is exposed through the load balancer. I can not access the container ports directly as these have Bluemix private IPs.
You can get to the private ips, but you'll have to either get in via the VPN service, or via an ssh tunnel through another container in that same space. That may be the simplest (and most secure) way to access that remotely.
I have some docker containers running on Bluemix using private IP addresses. I would now like to setup a tunnel from my laptop (running linux) to access the private network on Bluemix.
I had first created a container running an ssh-server. Using ssh -D I was able to setup a SOCKS5 proxy connection. This worked fine with Chrome but not all applications support a SOCKS proxy.
(google-chrome --proxy-server=socks5://localhost:<tunnel port>)
So I tried to create a container with an OpenVPN server. Unfortunately this does not work on Bluemix as the containers are not running privileged and thus can not create a tun device.
Bluemix also has a VPN and a Secure Gateway service, which sound promising but so far I could not figure out how to get those working.
Does anybody know if it is possible to make the private docker network available locally and how to connect to that?
Generally speaking containers should be used to implement services available to external applications (an APIs service, or a runtime, or a dbms, or something like that).
According to this, what you could achieve is a set of services available for you on different containers, and a single container working as SSH tunnel gateway, making your local environment connected to it using SSH and defining a set of local and remote SSH ports forwarding, with different policies according to the service/port and the IP of the service.
It should work for all the services, and you haven't to use a socks proxy to forward requests to different hosts: using remote SSH forwarding your SSH endpoint will redirect your requests to the right service inside the local/private lan.
I found that this guide describes correctly how to work with local&remote port forwarding.
http://www.debianadmin.com/howto-use-ssh-local-and-remote-port-forwarding.html
About the OpenVPN solution, as you already know it is not possible to use software requiring privileged mode on containers, because it couldn't be allowed on Bluemix due to security reasons: if you wish to have this kind of solution I strongly suggest you to use OpenVPN on a VM on Bluemix UK region (still beta but an architecture expected to be the final architecture as soon as VM service will become GA service)
I think that these options are the ones available on Bluemix to achieve what you describe without using the VPN service suggested by #bill-wentworth