My customer wants to have Bluemix Local on their isolated DC from pulic.
They have a policy not to have internet access on the DC. Only allow to connect to internet in a limited period of time based on the IT/LOB request.
I know that the Bluemix Local need to have internet connection with IBM site for the purpose of the Remote maintenance by IBM.
Question:
Is it possible to minimize the on-line time between the Bluemix Local and IBM site ? The customer wants it offline normally and online only at the event of maintenance.
Thank you for your support.
Kohzo
The component that allow Bluemix local to be managed by IBM operation team is called "Relay".
Relay achieves secure connectivity through an open, outbound SSL, VPN tunnel that originates from the inception virtual machine on-premises by using certificates that are specific to each Bluemix Local instance.
The traffic on this tunnel is automated activity for serving and maintaining the platform, compute resources, and services for your instance. The traffic includes the monitoring capability that is used by IBM operations to complete problem determination for your local instance.
Only the IBM team that is working on local environment can securely access Bluemix instance. Access to ocal environment is secured by using two-factor authentication during multiple steps in the connection process. IBM provides a list of the approved users and IDs who can access the environment, and then customer can audit any access to the environment.
Since if a network interruption occurs Relay automatically re-establishes the connection, it does mean that the Relay must be always up .
Related
We're looking to use Application Gateway as a frontend\proxy for a website we host onsite. The website has a public IP but we'd like to restrict access to the site to only traffic coming from the Application Gateway. Is there a way to determine what IP the traffic would be coming from as it exits Azure? Is it like other Azure traffic where it could come from any IP subnet they have assigned to that specific region? I haven't seen this question asked and it's not directly referenced in any of MS documentation that I can find.
Thanks!
Not sure why you want to restrict access to the site to only traffic coming from the Application Gateway because if you configure it and add the website in the backend of Application Gateway. The traffic from a client will always reach the website through the Application gateway as the Application Gateway works as an application proxy by accepting traffic and based on rules that are defined with it, routes the traffic to the appropriate back-end instances.
You may want to know to restrict access on the application gateway subnet via NSG. Then the inbound or outbound traffic in the Application Gateway subnet will be filtered via NSG.
Network Security Groups (NSGs) are supported on the application
gateway subnet with the following restrictions:
Exceptions must be put in for incoming traffic on ports 65503-65534
for the Application Gateway v1 SKU and ports 65200 - 65535 for the v2
SKU. This port-range is required for Azure infrastructure
communication. They are protected (locked down) by Azure certificates.
Without proper certificates, external entities, including the
customers of those gateways, will not be able to initiate any changes
on those endpoints.
Outbound internet connectivity can't be blocked.
Traffic from the AzureLoadBalancer tag must be allowed.
Hope this will help, let me know if you have any other concerns.
Update
If you just want to whitelist the Azure service on the firewall, you can read the Azure Datacenter IP Ranges. You can figure out which datacenters your service are located in then narrow down the IP ranges.
We have created our automation framework using Appium-TestNG in which we are accessing our backend servers through RestFul Apis externally. The backend server is also based on AWS and has whitelisted the device farm IPs. When we are executing the tests locally its working fine but when we execute it on AWS Device Farm, it is giving ‘Socket Exception’ when trying to access the backend servers via our apis.
Can anyone give us a solution of how to access external Rest APIS via Device Farm?
The IP range that's in the FAQ of Device Farm point to the devices but not the device host. The device host could have a wide range of IPs but there are two ways(that I've found so far) to get around this issue in theory:
Use the private offering from Device Farm.
If you have access to the private offering for Device Farm, you're able to use the VPC integration with both the devices and the device host. So there shouldn't be any white-listing needed using this method.
Use API Gateway's private VPC integration and call this API from the tests
When using the public offering(metered and unmetered options) we should be able to take advantage of API Gateway's VPC integration. Using an private NLB in the same VPC as the REST API we can create a VPC link. The ending architecture I believe should look like this:
Then we can secure the API using an API key or custom authorizers. So then we can call this API which links to the private REST API from the device host.
Note: This might not be the best workaround depending on the use-case as then the device host will have access to the API key.
Additionally(I know you didn't ask this but wanted to link to it anyway), the easiest way I've found so far to develop REST API calls is to use Postman to make a successful call to the REST API. Then use the code snippet feature to make the same calls in the support languages from postman.
Hope that helps
-James
I am using google compute engine instances for a B2B customers, I am developing a feature that would allow customers to use their own smtp servers to send emails built via my application. However, the 3 classic SMTP server ports are blocked by Google (https://cloud.google.com/compute/docs/tutorials/sending-mail/).
I would like to find the most maintanable way to still access those SMTP servers.
The tech stack is Ruby On Rails / ActionMailer.
Any idea is welcome.
I assume your application is running inside the GCP. Thus, my thought is that you can configure your application to send emails via Google trusted third parties listed on this article, then your customers should be able to relay their SMTP traffic using 25, 465 or 587 port to your application and send out emails. This is feasible if all servers are running on the same project or connected through Cloud VPN, Shared VPC or VPC Network Peering.
I'm developing a web service that needs to connect to another web service and register a web service endpoint that notifications can be sent to.
e.g. Server A sends a registration request to Server B, containing the URL on which notifications will be sent (HTTP PUT).
If Server A (the development server) was on a public IP, all would be well, but at the moment its on my development laptop which is connected to the internet via a Wifi router which connects to Personal Hotspot on my iPhone. This is actually the most useful internet connection I have available most of the time. Neither the router nor Personal Hotspot (AFAIK) allow port forwarding or DMZ.
For development purposes I would like the notifications to come through to the service under development on my laptop. I can specify a static IP address when registering with the third-party web service, and a specific port number if needed.
My only thought was to use a VPN connection from the laptop to the internet, therefore masking the existence of the inbound route.
The VPN would therefore need to allow inbound packets through to the server. I've looked at the VPN service by VPNUK.info who I currently use, and they have both a dynamic IP and static IP version of their product, and the static version seems to suggest that inbound is possible.
Can anyone suggest how or if this would work? Any specific setup instructions? I presume once the VPN is established, and requests to the VPN Static IP address will be handled by the server on the development laptop (which is the device starting the VPN connection).
The development laptop is a Macbook running OS X Yosemite.
The web server is built using Node.js and Express.
I ended up signing up with VPN UK for a dedicated static IP VPN service. This gives a single publicly accessible IP address to the VPN connection.
Once the Macbook establishes the VPN, any requests to that IP address are routed to the Macbook as requested, so it doesn't matter where its located or the type/complexity of the internet connection.
We have a SMS provider that gives us access to their SMPP Server. The only problem is that, for security reasons (estipulated by this provider), we need to use a VPN connection. That is: once there (in their net) we can access the smpp server using a local IP address (10.x.x..)
Can I do this in Windows Azure? Connect to their net using the Virtual Networks feature?
Maybe late as answer, but I don't see the difference here regardless to AWS - in both cases you will VPN with their site. On Azure, you can definitely create a Site-to-Site VPN Gateway then establish VPN connectivity with the provider's site.