Access between accounts using NAT? - nat

So I have a problem and I think I can resolve with NAT Gateway but I am not sure how to do it or if it is possible.
The scenario is that I need access from an specific IP that is in a VPC in AWS Account A to another specific IP in AWS Account B. We have configured a peering connection between those accounts, but the range of IPs that I need the access are not configured in the route table. That is why I think I will need the NAT to just acc one IP (so it is more secure, I don't want to allow all the IPs).
Not sure if that make sense? If not is there any other approach for this problem?
Thanks
Vanessa

Related

Getting a Static Public IP or any other workaround

I'm developing an integration with an API which requires to whitelist customers based on IP addresses. I can easily get outbound IP from Production environments such as Azure or AWS and get those whitelisted.
How can I configure it for my desktop whose public IP keeps on changing after every few hours?
Getting a fixed IP address for your home computer is dependant on your internet provider. Sometimes they offer fixed IPs for 'Business' customers only or such.
Another solution might be to stand up an OpenVPN instance in your cloud then only whitelist that IP address and your expected partner prod addresses. Then you just connect to your VPN to access your API, you can do this from anywhere as your only dependant on the IP address of the cloud OpenVPN instance.
This solution also scales with your development as you only need to add new OpenVPN users to let other developers work with you and don't need their ever changing IP addresses.
I found an easy solution from NordVPN. It has an option to get a dedicated IP VPN :)

How to set the external IP of a specific node in Google Kubernetes Engine?

Unfortunately, we have to interface with a third-party service which instead of implementing authentication, relies on the request IP to determine if a client is authorized or not.
This is problematic because nodes are started and destroyed by Kubernetes and each time the external IP changes. Is there a way to make sure the external IP is chosen among a fixed set of IPs? That way we could communicate those IPs to the third party and they would be authorized to perform requests. I only found a way to fix the service IP, but that does not change at all the single nodes' IPs.
To be clear, we are using Google's Kubernetes Engine, so a custom solution for that environment would work too.
Yes, it's possible by using KubeIP.
You can create a pool of shareable IP addresses, and use KubeIP to automatically attach IP address from the pool to the Kubernetes node.
IP addresses can be created by:
opening Google Cloud Dashboard
going VPC Network -> External IP addresses
clicking on "Reserve Static Address" and following the wizard (on the Network Service Tier, I think it needs to be a "Premium", for this to work).
The easiest way to have a single static IP for GKE nodes or the entire cluster is to use a NAT.
You can either use a custom NAT solution or use Google Cloud NAT with a private cluster

Free DDNS service

I have got one firewall, with a public IP (dynamic) provided by my ISP.
As the IP is dynamic, I registered a domain in the service NO-IP as not to worry whether the IP changes anymore.
The problem:
Looks like my ISP is also giving a name for that IP, so when I resolve it (standard DNS configured, such 8.8.8.8) it would resolve the name in favour of my ISP.
The key point:
¿Is there any way to "OVERRIDE" the name given by the ISP with the one registered in NO-IP, in order to ALWAYS resolve to the no-ip name?
Thanks!
Whatever you did with NO-IP/DDNS, it will have no effect on Reverse DNS lookup. Reverse DNS is controlled by whoever "owns" the IP address, usually your ISP, so they would have to change the record according to your request (or sub-delegate it to your DNS servers) which they will almost certainly not do since you have dynamic IP address.

Domain Name Split to Subnet DD-WRT

I an trying to setup a server system at home because I recently switched ISP's.
I own the vrakiver.net domain name through the register.com registrar.
My ISP provides a static IP to my DD-WRT router.
I have 2 computers setup with static IP's:
1st: "server" with IP 192.168.1.102
2nd: "g5" with IP 192.168.1.100
I from within the LAN I can connect to either with server.local or g5.local or at their respective IP's.
I Would Like to set up the system so that I can use g5.vrakiver.net from anywhere in the world to access "g5" and server.vrakiver.net to access "server"
Port forwarding isn't going to cut it, because I need access to all the ports of both devices. (But not necessarily at the same time)
I read something somewhere about some systems asking what domain the user was directed from and then deciding where to route based on that.
* I Think this should be physically posible, beacuse it would be so easy on IPv6, just set the domain record to each hosts publicly accessible IP.*
Thanks in advance for any advice on this you can give.
I'm afraid what you're trying to achieve is not possible.
Your clients will first resolve server.vrakiver.net or g5.vrakiver.net before contacting your router.
As the resolution yields the same IP adress, your router has no way to know which name has been used.

Will the IP address of the Google API host ever change?

We would like to use the Google Translate API from a host which doesn't have open access to the Internet. To setup the firewall rules I would need the list of possible IP addresses for www.googleapis.com. It is resolved to different IP addresses depending on the location. It seems to be difficult to create a future proof firewall rule.
Do you know how could I get the list of IP addresses or network ranges for the Google API servers?
The IP addresses used for any given googleapis.com server could change. Google doesn't have just one network block which they host all of their content out of, they have a bunch of them - and they change over time.
There are several ways you could setup your restricted network to allow access to *.googleapis.com without hard-coding IP addresses. I don't know anything about your setup, but I've found that using an internal proxy is often the best bet when you want to allow/restrict access to a domain.

Resources