For a hybrid-cloud use-case we are looking into the suitability of EnvoyProxy to act as a solution to move data across an on-premise firewall. The intended setup is as follows:
App A is located in an on premise network with no direct outbound or inbound Internet connection
App B is located on the cloud
An envoy proxy (PC) is placed in the cloud
An envoy proxy (PA) is placed in the on-premise network, and configured to allow outbound network connection to PC
PA creates a open bi-directional authenticated TLS connection to PC, effectively creating a tunnel between them
App B invokes an API endpoint at PC, which gets routed to PA over the open TLS connection, and forwarded by PA to App A
Routing data with Envoy to upstream clusters is well documented. However, we are wondering if Envoy is able to setup a TLS connection between two proxy instances and use that channel in both directions. The constraint is that this TLS connection can be setup from one direction (outbound) only.
If this is possible, could someone point me to the right direction?
With kind regards,
Joost
IN Azure we use Azure relay Hybrid Connections service for this.
https://learn.microsoft.com/en-us/azure/azure-relay/relay-what-is-it
i guess aws guys can create a wcf relay(in above link) app and deploy it to aws
yes, we use Envoy to create mTLS tunnels between networks
See https://www.youtube.com/watch?v=nWKu7ThNKwM&list=PLHsuXkXI4xdjGlGkCBdxIAmkzfWXqsUrO&index=3
Related
I have an account in chatgpt but as I located in the restricted country, I tried to use AWS proxy (US server) to login chatgpt. Few weeks ago it worked but now I get an error message access denied error code 1020. I used tinyproxy in stealth mode at first but since I was unable to pass through the cloudflare, I guessed probably the proxy was not good enough to disguise itself as a proxy, so I tried squid vpn in stealth mode and algo vpn, but all did not work(Tried other AWS countries server as well other than US). Until now, I figure out chatgpt might probably just banned all connection from amazon or perhaps my proxy is just not smart enough to pass through cloudflare? What are more options? Any recommended free vpn proxy that I could installed into my AWS EC2 or perhaps I should try other less known cloud services instead? e.g. (other non-restricted country's local cloud services) Besides, I have consider using other free proxy from the internet but as I need to login my gmail, is it danger to do so but since its https so my username and password should be encrypted?
I have the same problem, simple ssh tunneling works you can use a jump server to bypass your country first and than use different server to use as proxy because some of your vps servers get banned with IP, so you may have to use another vpn with different proxy
ssh -D "port to make SOCKS 5 Connection like" <10808> -J <"user">#<"jump server IP"> <"user">#<"final server IP">
than you can use "foxyproxy" extention to build SOCKS5 proxy that uses specified port in this example 10808 to route your browser terrafic through tunnel in port 10808 to final server
or you can use something like sshuttle, but i was fine with this simple tunneling method in GFW
So, I've encountered a weird situation and am wondering whether you may have some suggestions as to how to investigate it...
I have a C# app that connects to Azure Blob Services using the latest SDK and TLS 1.2. When I am at home and on the Internet, I am able to upload files to blob storage without any issues. However, when I go into our office, using the same app on an office computer, I get a connection failure. I am able to access the Internet through a browser.
The networking is as simple as at my home... ISP connection, router/firewall, my computer.
I cannot imagine why enabling TLS1.2 would suddenly make my app not work in the office, but still work at home. Based on these tests, it seems like a NIC issue or an infrastructure issue at the office, but I have never heard of a NIC or router blocking TLS 1.2 outside of a VPN connection. There is no VPN involved.
I am planning on directly connecting my computer to the company's Internet connection, configuring the nic for the wan, and see what happens. If it works, then there must be something strange going on with the company's router (nothing elaborate; netgear, or such).
Has anyone encountered this issue? Seems really odd to me...
Thanks for your time and interest,
Mike
• It is not an issue with enabling of TLS 1.2 on your office network or your home network or even your Azure blob storage, it is basically related to the communication over SMB TCP port 445 from your local system to the mapped Azure blob storage on your system.
On your home network, you were able to access the blob storage and able to upload files in it because your ISP has enabled outbound communication over SMB TCP port 445 on his firewall and gateway server over the internet and thus, you were able to access the mapped Azure blob storage and upload files in it. But the same case is not valid for in your office network as it being a protected one, outbound communication over SMB TCP port 445 is restricted and not allowed.
• To test whether communication over TCP SMB port 445 can happen or not, I would request you to execute the below powershell command and check the results thereafter: -
Test-NetConnection -Port 445 -ComputerName somestoragexxx.file.core.windows.net
If this TCP 445 connectivity fails, then you could check with your ISP or your on-premises office network security is blocking communication over outbound port 445. Please note that you should open the outbound port instead of inbound port 445.
Kindly refer to the documentation link below for details to know the different ways to access files in Azure files: -
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-faq#general
Also, refer to the link below for knowing the Azure routing mechanism to reach the resources hosted on Azure: -
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#default
I'm trying to connect my local standalone MySQL with Cloud Fusion to create and test a data pipeline. I have deployed the driver successfully.
Also, I have configured the pipeline properties with correct values of jdbc string, user name and password but connectivity isn't getting established.
Connection String: jdbc:mysql://localhost:3306/test_database
I have also tried to test the connectivity via data wrangling option but that is also not getting succeeded.
Do I need to bring both the environments under same network by setting up some VPC and tunneling?
In your example, I see that you specified localhost in your Connection String. localhost is only advertised to other services running local to your machine, and Cloud Data Fusion (running in GCP) will not be able to reach the MySQL instance (running on your machine). Hence you're seeing the connectivity issue.
I highly recommend looking at this answer on SO that will help you setup a quick proof-of-concept.
I think that your question is more related to the way how to connect some on-premise environments to GCP networking system that gathering Google cloud instances or resources throughout VPC connection model.
Admitting the fact that GCP is actually leveraging different approaches for connection methods within a Hybrid cloud concepts, I would encourage you to learn some fundamental principles of Cloud VPN as a essential part of performing secure connection between particular VPN Peer Gateway and Cloud VPN Gateway and further creating a VPN tunnel between parties.
I guess there is even dedicated chapter in GCP documentation about Data Fusion VPC peering implementation that might be helpful in your user case.
I've to design a solution that permits to read real-time data generated by local sensors through a remotely-hosted web application.
The design is still work in progress: the sensors' data could be handled by a windows application/service installed on the client machine, or by some external hardware (like a raspberry) located on the same network of the client machine.
Now, I'm very new to WebSockets, but they seems exactly what I need for providing real-time data via browser.
My question is: can a remote web application open a WebSocket to a server that is located on the same local network which the client belongs to?
Is solution B possible? How can I achieve that?
For example, I'd like the server to be located on the client localhost. Sensors would send data to the local windows service, and the web application would show them by opening a WebSocket to localhost (client localhost, not server localhost!).
Well, I did some testing and the answer is yes, it is possible.
Test setup:
A web page hosted on a remote server, with a WebSocket client which connects to 'localhost'.
WebSocket server running on my pc.
It worked.
I have a scenario where I have a Windows VM in windows Azure that needs to connect to an external customer network (and connect to a database that is not in Azure).
This traffic is uni-directional in that it is only my VM that needs to connect to the customer's databases and not the other way around. Site to site is managed on Azure, which I cannot really test locally.
Conceptually, connecting to the customer's network via a point-to-site VPN seems more suitable (by creating the VPN connection in Windows itself via the network config).
The customer prefers site-to-site even though they don't need to connect to my VM. Am I missing something?
In point-to-site, you have to connect to the network you want to access manually. Usually, if you log-off or restart the workstation it loses connection, and you have to reconnect every time. It's common to use this type of VPN when we are working remotely, and we need to access our company assets. The channel is bi-directional, but it's 1-to-many.
Site-to-site is used when you want to connect two networks and keep the communication up all the time. It's also bi-directional, but it's many-to-many and stays up no matter if your server/workstation is running or not because the connection is established through a network gateway and not from the computer operating system.
In Azure, the Virtual Network Gateway is the platform providing both functionalities. You can configure site-to-site to connect to your customer network. If this network is not running in Azure, they usually have an appliance to establish dedicated tunnels. As long as it supports IPsec IKE, you are good to go.
If you are using the VM in Azure as a workstation, then point-to-site may be enough, but if your application needs to get data from the customer database automatically with or without someone logged in the VM, then site-to-site is a better approach.
A better explanation can be found here