Not sure if this is the right forum to ask this. Please redirect me if possible.
I have a specific endpoint in my node/express application that I want to lock down to certain IPs. All the other endpoints should be open to the public.
Is this possible using EC2 security groups? Or do I need to create a separate service to just host this endpoint on a different port and restrict that port to certain IPs?
If you can put the endpoint on a different port than the rest of the endpoints use, then you could do it all on the same machine - but if all of the endpoints are available on the very same port, it won't work and you would need to use something other than security groups to control access.
Here's my current approach. Instead of another application/process, I just create another express() instance and listen on a different port like so
var express = require('express');
var appMain = express();
appMain.get('/api/public', ...);
appMain.listen(3000);
var appPrivate = express();
appPrivate.get('/api/private', ...);
appPrivate.listen(3001);
Then I use EC2 security groups to allow all IPs to port 3000, and restrict IPs to port 3001.
I'm not sure if you can do this with other app servers, but this is my approach with node
Related
In Spring security you can whitelist the incoming IP using hasIpAddress. Is it possible to have a whitelist for the incoming domain/url/servicename?
I have two services in a kubernates cluster, most of their endpoints can only be accessed with the accessed token (legacy filter can't be removed). However, I would like one service to call the other without a token for a particular endpoint (let's say service A call service B). Is it possible to specify the service name rather than the ip to be whitelisted in service B? I don't want to make the endpoint to be publicly accessible. Do I have to convert to IP like this
InetAddress ipaddress = InetAddress.getByName(service);
Is there something smart for Kubernetes services?
Maybe you can try to use the internal kubernetes dns link so you don't have to specify the ip address.
I currently have a Google cloud redis instance running which allows all connections ( ip range 0.0.0.0/0 ) which I would like to secure.
I have an api that is hosted on Heroku that is being forwarded to via a google domain. What I want to know is which ip do I add to the Source Ip ranges field in the google cloud firewall config tab to only allow connections from my API.
There are a few things I am confused about:
I need to specify an IP range, but I'm only going to be connecting to it from one IP ( The domain pointing to my API )
Which IP do I provide? The IP of my domain that is pointing to my API or the IP of the api instance itsself as it is on heroku?
Any help would be great!
Thanks
Heroku itself is hosted on AWS, so it uses a subset of their EC2 range.
Looking at this answer, you could use
heroku regions --json
to find the currently used IP ranges.
Problem with that: they can change!
If you need a static source IP coming from a Heroku app, you might want to use one of the SOCKS5 proxy addons.
But:
There is a performance impact for this cross-datacenter usage between your application and the Redis instance, so actually I would recommend you switching to a Redis instance by Heroku, or at least by a provider that lives inside the same AWS region.
I have a Heroku app that uses nodejs to serve a static web page https://foda-app.herokuapp.com
Heroku does not provide a fixed IP and I really need one for a personal project, so I'm trying to use Google Cloud's VPC reserved static external IP addresses.
I was able to reserve the IP but I'm not sure how should I link it with my Heroku app, since the Google Cloud offers so many options and services. I just wanna redirect all traffic from this IP to the Heroku app and I can't find a simple way to do it.
I need to create a global forwarding rule but I can't find a way to achieve this without using a lot of other services. Do I need a VM instance? Do I need a load balancer? Should I use VPC routes or Cloud DNS? I'm overwhelmed with all those services.
Please can someone tell me if it's possible, and what is the simplest way to achieve this?
You can achieve this using below two ways. -
Use a third party addon on heroku. eg. https://devcenter.heroku.com/articles/quotaguardstatic
Setup a proxy server on the static IP, and redirect all traffic to the desired Heroku url.
Details for step 2 -
Assigning a static external IP address to a new VM instance https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address
Install Nginx/HAProxy on the newly procured VM.
setup config. like below -
upstream heroku-1{
server foda-app.herokuapp.com fail_timeout=15s;
}
server{
listen 80;
server_name yourdomain.example or ip address
location / {
proxy_pass http://heroku-1;
proxy_read_timeout 300;
}
}
Change DNS mapping for your domain(if any) to point to the static IP.
I have a lambda that needs to talk to a few AWS APIs.
It accesses the EC2 and Route53 APIs in order to get the ip address for an instance and update a Route53 recordset.
The lambda runs in a private VPC in ap-southeast-2. In order for the API calls to work, I have to add the following egress rule to the Lambda's security group:
resource "aws_security_group_rule" "https-egress-lambda-to-all" {
type = "egress"
from_port = 443
to_port = 443
protocol = "tcp"
security_group_id = "${aws_security_group.lambda-sg.id}"
cidr_blocks = ["0.0.0.0/0"]
}
At the moment this rule says "allow this lambda to talk to anything on the internet via port 443". I'd like to narrow that statement to "allow this lambda to talk to the AWS API servers only".
I thought a VPC endpoint might be the way this is supposed to be done, but apparently that works only for S3.
Is there any way to lock down a security group's egress rules to allow access only to the AWS API servers?
AWS publishes the IP ranges that it uses for the services. You can set up rules to allow only these IP address ranges. As they change often, you probably want to automate that. Details are here: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
I'm running some node services on an Amazon instance (EC2), the service were deployed using ssh over the instance, but for some reason, I can't access to the service using the public IP, but all the services are running. Is necessary enable the public IP in the configuration of my EC2 setting or something like that?
Make sure your security group has the proper ports opened up. In the EC2 console, go to Security Groups (on the left side of the page). Find the security group of the EC2 instance.
There is a tab called Inbound. Make sure you have a row with the type = SSH, protocol = TCP, port = 22, and source = 0.0.0.0/0