I have an Azure Container Instance in my VNET. However, from the ACI I am trying to resolve my Azure Storage Account which is enabled with Private Endpoints in the same VNET but not able to resolve. What could be the issue?
You can use this command to get the Private IP address of Private endpoint of storage account.
nslookup <storage-account-name>.blob.core.windows.net
Replace <storage-account-name> with the name of the storage.
Note : I have configure the privaate endpoint while creating the storage account itself.
A private IP address of 10.0.0.5 is returned for the storage account name. This address is in the subnet of the virtual network you created previously.
Refernce : https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-storage-portal#test-connectivity-to-private-endpoint
Related
We have a VPC which has VMs with private IP addresses only. There is no Cloud NAT attached to this VPC, so we should not be able to reach out public IPs.
Despite of the aboves, we experienced that we were able to curl the following public IP address from an internal VM.
64.233.166.153
The subnet of the VM has Private Google Access enabled and there is a default route to the default internet gateway, no other route entry matches for this IP. But there is no Cloud NAT.
My questions:
How is it possible to reach public IPs without NAT at all?
Are there other reachable public IPs? (without Cloud NAT)
What are these IPs used for?
Looks like the IP address belongs to a GCP resource/API.
As per GCP documentation[1], when PGA(Private Google Access) is enabled GCP VM instances without external IP can connect to the set of external IP addresses used by Google APIs and services by enabling Private Google Access on the subnet used by the VM's network interface.
This could be the potential reason why your VM was able to speak with the Public IP.
[1] https://cloud.google.com/vpc/docs/configure-private-google-access
Answer provided by #dp nulletla is right.
#Robert - For your use case that you mentioned in the comments - to reach BQ API from GCE with private IP without leaving google backbone network, I believe VPC Private Service Connect (PSC) for Google APIs is the right solution approach for you.
By default, if you have an application that uses a Google service, such as Cloud Storage, your application connects to the default DNS name for that service, such as storage.googleapis.com. Even though the IP addresses for the default DNS names are publicly routable, traffic sent from Google Cloud resources remains within Google's network.
With Private Service Connect, you can create private endpoints using global internal IP addresses within your VPC network. You can assign DNS names to these internal IP addresses with meaningful names like storage-vialink1.p.googleapis.com and bigtable-adsteam.p.googleapis.com. These names and IP addresses are internal to your VPC network and any on-premises networks that are connected to it using Cloud VPN tunnels or VLAN attachments. You can control which traffic goes to which endpoint, and can demonstrate that traffic stays within Google Cloud.
Basically when you create PSC endpoint,you assign private IP address to this endpoint. You reach respective google API e.g. Big Query, you always connect via PSC endpoint IP. This way you can control egress traffic in your VPC firewall rule with deny all and allow only PSC endpoint IP.
Additionally you can go 1 step further and try to restrict traffic/data going to BQ APIs from your GCE/VPC on more granular level with the use of VPC Service Control. By setting the VPC SC perimeter you can define/enforce with more restrictive policies to avoid any sort of data exfiltration.
Thanks
BR
Omkar
I want to access cosmos db through specific ip address only. The only way I can see to achieve this is, specifying that ip address in 'Firewall and Virtual Network' section of azure cosmos db. Is there any other way to achieve this without specifying ip address in firewall ?
IP Firewall is the right way to do this. Is there a reason why you don't want to use IP Firewall?
You can also configure Azure Private Link.It is a set of private IP addresses in a subnet within your virtual network. You can then limit access to an Azure Cosmos account over private IP addresses.More details,please refer to this document.
By the way,you can use User + Permission to limit users accessing the resources.
I have an web app deployed in Azure App Service which uploads file to a blob container. Both App service and blob are in same resource group and region. After uploading a file successfully when I check the diagnostic logs of storage container I see a different IP address. This IP address does not belong to the list of outbound IPs mentioned in the App Service.
Why is it like that? Where does this IP come from?
Update:
The IP address is shown as private IP address if I search for it.
Regards
Binil
Generally, when web app makes an outbound call to the internet, it uses a set of predefined IP addresses. A storage account could have public or private endpoint to accept the request.
First, you could ensure that if the specific private IP you mentioned is the client request IP from app service to the storage account.
In this case, one of the possible reasons is that you have integrated your app with an Azure virtual network and enabled the integrated vnet service endpoint for Microsoft.Storage. This allow web app access an Azure storage account from a virtual network. See how Azure select a route for more details.
Edit
From this document,
Services deployed in the same region as the storage account use
private Azure IP addresses for communication. Thus, you cannot
restrict access to specific Azure services based on their public
outbound IP address range.
thus, it's properly using a private IP address from apps service to your Azure storage account in the same region over the Azure backbone network. To validate it, you can use a storage account in a different region than the app service.
We are currently using Openstack newtown. We can access the API using client on public endpoint from any computer, but the vm don't have access to it, they can ping the IP and dns name but can't curl or access using openstack-client. How can we allow connection from VM to API ?
Assuming your public API endpoint is externally accessible, the network on which your virtual machine resides will need external access. This can be achieved in a few different ways, depending on your current configuration. You can create a Neutron provider network/subnet which will provide access to a physical network and gateway to the outside world. You can then boot your instance directly on the provider network. More information on Neutron provider networks can be found at docs.openstack.org.
The problem is that floating IP don't give the route of my external network.
I add route using neutron and now all is working perfectly. for info the command is:
neutron router-update demo-routeur --routes type=dict list=true destination=192.168.0.27/27,nexthop=10.0.0.1
A theoretic question :
If i have a cloud account in amazon EC2, (or at all...)
and i access an instance from another instance by its public IP and not its Private IP,
Will it make a difference ? will the routers/switches know that they are in the same network or will the information go outside and inside again ?
Thanks!
If you connect via public DNS. EC2 automatically resolves it to an internal IP within ec2 and external IP outside of ec2. The form of the public DNS follows a simple pattern that incorporates the public IP.