Exposing internal server to the outside world - networking

Currently I'm using ngrok.io to expose local service (ex. localhost:3000) to the outside world. What can I do to expose internal company service that is only accessible within VPN to the outside world.

That depends on the network in which your service is located.
If it's a home network, you need to make sure you're not behind your internet provider's NAT (in other words, that you have a dedicated public IP address), then log into your router and configure port forwarding to your machine. If you don't have a dedicated public IP, or just want your service to work independently from your personal machine, consider hosting it on a VPS.
If it's a company network, your system administrator should be able to handle this (after deciding whether it's appropriate).

Related

Azure Network Security Group Vs Route Tables

Networking newbie here. From the Documentation it feels like both NSG and Routing tables(UDR) are doing the same thing - capable of defining ACLs at multiple levels (Vnet, Subnet, VM)
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
So how are they different and when is each used?
thanks.
Azure automatically creates a route table for each subnet within an Azure virtual network and adds system default routes to the table. The route table is like a networking map that tells the traffic from one place to another place via the next hop. This generates the "path" but does not filter traffic.
The Azure network security group is used to filter network traffic to and from Azure resources in an Azure virtual network. It contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. If there is no route to one place from a subnet, you even do not need to configure the security rules because there is no path. So when you consider the NSG it should have a successful network route.
For example, usually, we can access Azure VM in Azure virtual network via SSH or RDP over the Internet but it has a less secure way to expose the port 22 or 3389. We can restrict access to your Azure VM via specifying the source IP address in the NSG. This setting allows traffic only from a specific IP address or range of IP addresses to connect to the VM. Read more details here. In this scenario, we need to ensure that there is a route to the internet from your Azure virtual network and vice versa.

How can I open my local TCP port to public?

I have a TCP Server for a my personal chat, I want to expand my connection beyond my local network and I want to open my port: 28752 to my IP public of pc to enter wherever I want only when my computer is on.
I have seen different solutions for example DMZ to associate my local IP to public IP, but i want to do this without modifying to router's setting I wanted to do it from a program. Is it possible?
It is possible to open up ports. But it depends on the OS in which you are trying to accomplish it. You can use the linux iptables to manipulate the ports opened and closed to any linux machine. IptablesSome examples . The ports should also be opened on the firewall layer outside the VM. eg: It could be AWS access policy, Security group, MAC's security firewall. Your laptop, when connected to the internet, will have a public IP address, you can share that public IP. But these IP address will change when you get connected to a different router. You can use AWS cli commands to assign a static IP address for your machine and expose it publicly. At the least minimum, you would need a public DNS server to expose your IP publicly. Easy way to achieve this is by putting in web server on cloud. Without a domain , you cant expose your IP. Once you have finalized on the domain (eg: AWS Route 53, Ingree IP from K8 etc), you can change/manipulate them from your program. It need not be language specific.

Not able to access Azure cloud service URL from public internet

I have deployed my ASP.NET WebForms application (Azure Web Role) on Azure virtual network. I have been told by the IAAS team that the subnet which I have used needs Proxy XX.XX.XX.XX:8080 for accessing the application from the internet. If it's a virtual machine I can add proxy xlass, but I am not able to add the proxy class in service configuration file and added it in application web.config, but still it's opening from public internet and not able to connect to RDP.
Please help me with this.
Thanks
RDP wouldn't require a proxy that I'm aware. I imagine you match the same config as mentioned here to set your ACLs (too many images and not enough text to copy here)
http://blogs.msdn.com/b/walterm/archive/2014/04/22/windows-azure-paas-acls-are-here.aspx
If you really are trying access for RDP check out the following. If just web access, the above should work.
http://www.cloudcomputingadmin.com/articles-tutorials/windows-azure/azure-virtual-networks-and-cloud-services-part3.html
As per
https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-rdp-detailed-troubleshoot/
Source 3: Cloud service endpoint and ACL
To eliminate the cloud service endpoint and ACL as being the source of issues or misconfiguration for virtual machines created using the Service Management API, verify that another Azure virtual machine that is in the same cloud service or virtual network can make Remote Desktop connections to your Azure virtual machine.
If you do not have another virtual machine in the same cloud service or virtual network, you can easily create a new one. For more information, see Create a virtual machine running Windows in Azure. Delete the extra virtual machine when you are done with your testing.
If you can create a Remote Desktop connection with a virtual machine in the same cloud service or virtual network, check for these:
The endpoint configuration for Remote Desktop traffic on the target virtual machine. The private TCP port of the endpoint must match the TCP port on which the Remote Desktop Services service on the virtual machine is listening, which by default is 3389.
The ACL for the Remote Desktop traffic endpoint on the target virtual machine. ACLs allow you to specify allowed or denied incoming traffic from the Internet based on its source IP address. Misconfigured ACLs can prevent incoming Remote Desktop traffic to the endpoint. Examine your ACLs to ensure that incoming traffic from your public IP addresses of your proxy or other edge server is allowed. For more information, see What is a Network Access Control List (ACL)?.
To have public internet connectivity into your worker role you need one of the following:
A public IP address (https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-instance-level-public-ip/) associated to the worker role instance (or)
A public endpoint configured to expose a specific port (https://azure.microsoft.com/en-us/documentation/articles/load-balancer-overview/)
If you use Network Security Group, please ensure that you have appropriate ACLs opened up to allow connection from Internet.
Thanks

What I should I replace local host with to run my web application from elsewhere?

I'm having a static IP address, say:127.254.x.x
Is it possible to access my web application from some other place by just replacing the local host with my IP???
Also, what will I replace the local host with if Ithe server is on a wifi network.? I.e. The router assigns a different ip to my server(because of dhcp) other than my original static ip. In this case should it be
192.x.x.2:8090
Or
127.254.x.x
Any help is appreciated.
I'm having a static IP address, say:127.254.x.x Is it possible to access my web application from some other place by just replacing the local host with my IP???
Yes, provided you configure it correctly.
Normally, you have a broadband modem/router which talks to the outside world, and provides a NAT network range to your devices. So you have an external IP address (the one the modem/router uses to talk to the outside world), and probably several internal IP addresses (for your phone, your laptop, your other laptop, your Kindle, etc.).
So to access a web server on your internal network from the outside world, you have to do two things:
Configure your modem/router to "forward" traffic it receives on the desired port (port 80 for HTTP) to the server on your network. How you do this depends on your modem/router. Look for "port forwarding."
When trying to access the app from the outside world, use your external, not internal, IP address.
So for instance, if your external IP address is 222.111.222.12, and the IP address of the machine you're using as your web server is 127.154.0.23, then you tell your modem/router that whatever traffic it receives on port 80 it should forward to 127.154.0.23 (this configuration may be by IP address, or may be by the MAC address of the network card in your web server machine; it depends on the modem/router). Then to view your app from outside your network, you go to http://222.111.222.12 (or whatever name you assign that IP address to in DNS).

Access to a site on localhost from remote

I use to develop my project on my localhost, on apache in ubuntu machine.
Sometimes i need to show progress to my costumer.
Is it possible to access to localhost from remote machine?
You can use a service that provides a tunnel to your local service, such as localtunnel, pagekite or ngrok. These services simplify setting up remote demos, mobile testing and some provide request inspection as well.
I find ngrok useful because it provides a https address, which is needed to test things like webcam access.
Terms used in this answer:
Host = machine with site on it
Client = machine you are trying to access the host from
If the host and client are on the same network, you can access the host from the client by entering
http://(hostname or ip address)
in your client's browser. If the site is not running on port 80 (for http) or port 443 (for https), add the post as so (this example is for if your server is on 8080, a common alternate port):
http://(hostname or ip address):8080
If the host and client are not on the same network, and you need to reach across the internet from the client to see the host, you will need to make your host available on the internet for the client to access.
This can be extremely dangerous for your information security if you're not sure what you're doing and I'd recommend getting a cheap-o hosting account (can get them for like $10/month at places like 1:1 hosting).
There are many methods to do this - the difference is security, easiness of the configuration and cost of the solution.
Following I am typing some methods with some analyses
Port Forwarding (with Dynamic DNS and SSL encryption)
This requires router configuration (to forward your routers public port to loclhoat port), however this requires you to have fixed ip address. In case your ip address is not fixed (in most cases) you need to use Dynamic DNS services to be able to use domain name instead ip address (there are lot of available free services). Here we still have security question open. To solve security question i.e. setup ssl certificate we can use Let’s Encrypt service ( https://letsencrypt.org/ ) to get free certificate, however we should configure local server to use the certificate or we should setup reverse proxy (in most cases nginx or apache) and configure proxy to use certificate.
Conclusion – Hard to setup if we want to have secure connection (can be done for free)
VPN
For this scenario we should use VPN services. We should connect our local machine to VPN then in other side we should connect our client's machine to VPN that will allow us to access to localhost by local IP address. We can set up our own VPN server however this requires knowledge to do it right.
Conclusion – Easy, Paid, Secure, Bad User Experience (connecting to VPN every time you need to connect to localhost)
Tunneling
For this scenario we can use free tunneling services (i.e. https://tunnelin.com/). The process is very straight forward i.e. Register a User, Connect your device to service (by running one line command on device), use Web interface to open/close secure tunnels to the device.
Conclusion – Free, Secure, Easy
Yes, if you have a public and static IP. Usually, ISPs offer static ips during a session (i.e. until you disconnect and connect again)

Resources