I have to restrict access to particular URL for an instance which is in VPC. In Security group, we are able to restrict Inbound/Outbound access only through IP address but not based on URL. How to create URL based ACLs in AWS?
Advance thanks for your help.
I'm not aware of any AWS service with this capability. You will need to configure this on the actual web server. Something like an Nginx reverse proxy with allow/deny rules.
Related
Is it possible to disable the default URL like this https://my-app-332mpca-uc.a.run.app and only use my custom domain as defined in domain mapping?
You can't achieve that with custom domain. You can achieve something similar by adding a Load Balancer in front of Cloud Run thanks to serverless NEG.
As you do that, you have an IP that you can add to your registrar (similar to custom domain in fact). To remove the public access of the Cloud Run default URL, you can set the ingress parameter of Cloud Run service to Internal and Cloud Load Balancer.
And then, you have it.
No.
The Cloud Run service URL is the definitive address for the service.
Your DNS CNAME needs a unique identifier for the service and the endpoint is it.
The only alternative to a URL would be for Google to publish IP addresses for Cloud Run services but that's impractical (with IPv4) and still provides an alternative way to access the service.
I am having issue using the Serverless NEG and URL Masks with Custom domains. Here is some background:
I have multiple services deployed as CloudRun services (login service, search service, feedback service). I am trying to setup a custom domain mapping and use URL Masking so the requests are routed to appropriate services.
I followed the steps outlined here - https://cloud.google.com/load-balancing/docs/https/setting-up-https-serverless
I have created a Load Balancer, Backend Service and a Serverless NEG with a Serverless Network Endpoint Group type as "Cloud Run" and selected "use URL mask" checkbox and provided my custom domain URL like this mycompany.com/ where mycompany.com is the custom domain I have.
NOTE: I am planning to use just one Serverless NEG and leverage URL mask so it can route the requests to appropriate CloudRun service in the backend.
I have updated mycompany.com to use the Public IP address created by the LB from the above steps.
Now, When I type mycompany.com/login or mycompany.com/search, it is not directing me to the appropriate CloudRun services and instead get an error - "This site can’t be reached"
My question: Do I need to setup Custom Domains and add mappings on the CloudRun page specifying mycompany.com and select one of the CloudRun service for me to leverage URL masks ?
I am slightly confused here and the documentation is not helping me here.
Please help.
Regards,
Raj
My backend is a simple dockerized Node.js express app deployed onto elastic beanstalk. It is exposed on port 80. It would be located somewhere like
mybackend.eba-p4e52d.us-east-1.elasticbeanstalk.com
I can call my APIs on the backend
mybackend.eba-p4e52d.us-east-1.elasticbeanstalk.com/hello
mybackend.eba-p4e52d.us-east-1.elasticbeanstalk.com/postSomeDataToMe
and they work! Yay.
The URL is not very user friendly so I was hoping to set up API gateway to allow to me simply forward API requests from
api.myapp.com/apiFamily/ to mybackend.eba-p4e52d.us-east-1.elasticbeanstalk.com
so I can call api.myapp.com/apiFamily/hello or api.myapp.com/apiFamily/postMeSomeData
Unfortunately, I can't figure out (i) if I can do this (ii) how to actually do it.
Can anybody point me to a resource that explains clearly how to do this?
Thanks
Yes, you can do this. For this to happen you need two things:
a custom domain that you own and control, e.g. myapp.com.
a valid, public SSL certificate issued for that domain.
If you don't have them, and want to stay within AWS ecosystem, you can use Route53 to buy and manage your custom domain. For SSL you can use AWS ACM which will provide you with free SSL certificate for the domain.
AWS instructions on how to set it up all is:
Setting up custom domain names for REST APIs
Is there way to setup access to Cloud Run services via whitelisted IP addresses?
I could not find in documentation beside this Authentication overview
When you deploy a Cloud Run in private mode, the requester have to request the endpoint with a bearer token. This token is checked by Google Front End (GFE), also in charge of managing SSL certificate for example, and it has to reference an account (member, group or service account) that have the role run.invoker on the Cloud Run service.
If you grant this role to AllUsers, the service switch from private to public and anybody can call it without any authentication.
That is for the behavior of Cloud Run, and as you can't customize GFE, IP filtering is not possible directly. You have to add an additional component for performing this filter.
With Cloud Run for Anthos (as propose by Kolban) you can set firewall rules and thus you can perform filtering. But you aren't in the serverless world, you have to manage your cluster, your nodes, your firewall rules, your load balancer,...
Last thing, one of advice of Google is: don't trust the network. Because it's easy to steal and IP address (I don't know how, but for Google it's obvious!!). If you can avoid any infrastructure dependency, it's better!
I'd like to know if this is possible? I have a client who would like to add a seperate login with IP authentication, however from my understanding most service providers don't generate static IP's for it's users.
How would this work?
Thanks
Check if request.remote_ip is within those addresses matching your requirements.