I have a API that has whitelisted IP addresses that are able to access it. I need to allow all AWS Elastic beanstalk EC2 instances to be able to access this API. So i need to either through VPC or Load Balancer settings configure a static IP or IP range x.x.x.x/32 that i can have whitelisted.
Im lost between the VPC, Load Balancer, Elastic Beanstalk, ETC. Need someone to break it down a bit and point me in the right direction.
Currently the load balancer is setup for SSL and this works correctly.
Thank you for your time
You can setup a NAT Gateway and associate an Elastic IP address in your VPC. Configure the routing from subnets to use the NAT Gateway for egress traffic. Then from your API side, you only need to whitelist the Elastic IP address of your NAT Gateway.
Check this guide for more details.
The best way to accomplish this is to place your EB EC2 instances in a private subnet that communicates to the Internet via a NAT Gateway. The NAT Gateway will use an Elastic IP address. Your API endpoint will see the NAT Gateway as the source IP for all instances in the private subnet, thereby supporting adding the NAT Gateway EIP to your whitelist.
To quote Amazon, link below:
Create a public and private subnet for your VPC in each Availability Zone (an Elastic Beanstalk requirement). Then add your public resources, such as the load balancer and NAT, to the public subnet. Elastic Beanstalk assigns them a unique Elastic IP addresses (a static, public IP address). Launch your Amazon EC2 instances in the private subnet so that Elastic Beanstalk assigns them private IP addresses.
Load-balancing, autoscaling environments
You can assign Elastic IP addresses to ELB instances.
First you need to create a number of Elastic IP addresses. They will be unassigned by default.
The actual assignment can be triggered from the "User data" script that you can specify when creating a Launch Configuration for the ELB. The following two lines of code in the user data script should assign an IP:
pip install aws-ec2-assign-elastic-ip
aws-ec2-assign-elastic-ip --region ap-southeast-2 --access-key XXX --secret-key XXX --valid-ips 1.2.3.4,5.6.7.8,9.10.11.12
The list of --valid-ips should be the list of IPs you created in the beginning.
Related
I am trying to create a basic ec2 instance on which I will run a docker container that runs a spring boot web app.
When I go to create the instance I see the below screen.
Do I need to create a VPC and subnets first before I can create an Ec2 instance? And is this a new feature of AWS?
I want my instance and docker container to be accessible via http and https on the public internet as spring boot exposes a rest api.
If you don't already have one, you can create your own VPC or use the default one then create a public subnet (with auto-assigned public addresses) in this VPC.
I would recommend to directly create your own VPC.
Since you want your instance being reachable on http and https you want to create a security group that allows connections on ports 80 & 443 and allows connection on port 22 from your personal IP address only.
The port 22 will allow you to connect via SSH in the instance to set up your docker container.
Hope it helped!
Version 2 App service environment gives 1 outbound IP
But with ver,3 isolated App service Environment I get 2 outbound IP.
background : I need to whitelist the outbound IP, and I would prefer to just whitelist 1 IP instead of 2.
Can i delete one of the outbound IP?
With isolated, seems like i cannot use virtual network NAT gateway to direct traffic through a static public IP address (app service
vnet integration is greyed out)?
Thanks, Peter
Can i delete one of the outbound IP?
There are 2 outbound IPs because there are 2 load balancers in the infra vnet for ASEv3. One IP is for the infra roles (Multi,FE, etc) and the other is for the workers outbound connection. We provide both as outbound ips because outbound traffic could come from the workers (in the case of app outbound traffic) or from the infra layer (like getting KV references in custom dns suffix).
Below is an ASEv3 architecture diagram.
You should account for both IPs or you may run the risk of blocking necessary traffic.
With isolated, seems like i cannot use virtual network NAT gateway to
direct traffic through a static public IP address (app service vnet
integration is greyed out)?
For more details see: https://learn.microsoft.com/en-us/azure/app-service/networking/nat-gateway-integration
There is a VPC connector enabled Route all traffic through the VPC connector and a firewall rule to allow all egress traffic for the VPC. Still, I am not able to connect to the RabbitMQ instance(cloudamqp) due to timeout.
I realized that the issue is about using Cloud Run VPC accessor for all traffic without a NAT gateway. After creating a NAT gateway for the related VPC, the issue resolved.
Using the VPC accessor for only the internal traffic can also help in this case. But, if you need to use static IP to route outbound requests to external endpoints then you have to use Cloud Run + all traffic through VPC Accessor + NAT.
My office is planning to use Multi Cluster in AKS Azure.
When i do POC to setup new AKS Azure Private Cluster privisioning with different subnet, the API Server ip address is always set to 10.240.0.4 but the host or api server URL is different (random).
Could i set that API Server IP Address to different IP Address for each cluster with different virtual network ?
FYI, I provision AKS Private Cluster by Azure Portal
Actually, you can get something here. The API Server of the private AKS cluster uses the Azure private Link service, so it needs to have a private IP address of the subnet that your private AKS cluster in. And all the things have done by Azure, then it gives the first available private IP address of the subnet, then the API Server gets the private IP address 10.240.0.4. You can change the address space of the subnet that your AKS cluster in, then the API Server will get a different private IP address, but it will still be the first available IP and you can't decide which one.
The document here describes how to create an AKS service with an internal load balancer associated with it. It explains how to assign an explicit IP address to this load balancer and states that the chosen IP "must not already be assigned to a resource." My question is how do I allocate this IP? The CLI command
az network public-ip create
can be used to allocate a public IP but there is no equivalent command
az network private-ip create
What is the correct procedure for allocating a private static IP in Azure?
Peter
There is no such command to create a static private IP for an internal load balancer in Azure AKS as Azure Networking has no visibility into the service IP range of the Kubernetes cluster, see here.
Actually, you could add the loadBalancerIP property to the load balancer YAML manifest to specific a private IP for an internal load balancer. When you do that, the specified IP address must reside in the same subnet as the AKS cluster and must not already be assigned to a resource. You could check the subnets where your deploy the aks cluster, then select one of the available addresses from the subnet address range, which should not overlap with the other IP address from connected devices.
Hope this will help you.