I want to access cosmos db through specific ip address only. The only way I can see to achieve this is, specifying that ip address in 'Firewall and Virtual Network' section of azure cosmos db. Is there any other way to achieve this without specifying ip address in firewall ?
IP Firewall is the right way to do this. Is there a reason why you don't want to use IP Firewall?
You can also configure Azure Private Link.It is a set of private IP addresses in a subnet within your virtual network. You can then limit access to an Azure Cosmos account over private IP addresses.More details,please refer to this document.
By the way,you can use User + Permission to limit users accessing the resources.
Related
We have a VPC which has VMs with private IP addresses only. There is no Cloud NAT attached to this VPC, so we should not be able to reach out public IPs.
Despite of the aboves, we experienced that we were able to curl the following public IP address from an internal VM.
64.233.166.153
The subnet of the VM has Private Google Access enabled and there is a default route to the default internet gateway, no other route entry matches for this IP. But there is no Cloud NAT.
My questions:
How is it possible to reach public IPs without NAT at all?
Are there other reachable public IPs? (without Cloud NAT)
What are these IPs used for?
Looks like the IP address belongs to a GCP resource/API.
As per GCP documentation[1], when PGA(Private Google Access) is enabled GCP VM instances without external IP can connect to the set of external IP addresses used by Google APIs and services by enabling Private Google Access on the subnet used by the VM's network interface.
This could be the potential reason why your VM was able to speak with the Public IP.
[1] https://cloud.google.com/vpc/docs/configure-private-google-access
Answer provided by #dp nulletla is right.
#Robert - For your use case that you mentioned in the comments - to reach BQ API from GCE with private IP without leaving google backbone network, I believe VPC Private Service Connect (PSC) for Google APIs is the right solution approach for you.
By default, if you have an application that uses a Google service, such as Cloud Storage, your application connects to the default DNS name for that service, such as storage.googleapis.com. Even though the IP addresses for the default DNS names are publicly routable, traffic sent from Google Cloud resources remains within Google's network.
With Private Service Connect, you can create private endpoints using global internal IP addresses within your VPC network. You can assign DNS names to these internal IP addresses with meaningful names like storage-vialink1.p.googleapis.com and bigtable-adsteam.p.googleapis.com. These names and IP addresses are internal to your VPC network and any on-premises networks that are connected to it using Cloud VPN tunnels or VLAN attachments. You can control which traffic goes to which endpoint, and can demonstrate that traffic stays within Google Cloud.
Basically when you create PSC endpoint,you assign private IP address to this endpoint. You reach respective google API e.g. Big Query, you always connect via PSC endpoint IP. This way you can control egress traffic in your VPC firewall rule with deny all and allow only PSC endpoint IP.
Additionally you can go 1 step further and try to restrict traffic/data going to BQ APIs from your GCE/VPC on more granular level with the use of VPC Service Control. By setting the VPC SC perimeter you can define/enforce with more restrictive policies to avoid any sort of data exfiltration.
Thanks
BR
Omkar
The use case is the following:
Private network for the GCP project
VPN on the local computer that seems to be blocking SSH connections
A VM that has a webapp to be accessed but we don't want to expose the IP to the public network
What are the best practices to keep it private and to access it eg. with OAuth authentication?
What are the steps to make and to follow?
Appreciate your help with this.
There are several methods in Google Cloud. The second method is the recommended method based upon the requirements in your question.
If the users have defined public IP addresses, use Google Cloud VPC firewall rules to only allow access from approved IP addresses.
Do not assign a static public IP address to the instance. Add an HTTP(S) Load Balancer and enable IAP. Add each user's identity to IAP for identity-based access control.
Additional methods suitable for developers:
My favorite is to use WireGuard (VPN) and use peer-based access control.
I have an web app deployed in Azure App Service which uploads file to a blob container. Both App service and blob are in same resource group and region. After uploading a file successfully when I check the diagnostic logs of storage container I see a different IP address. This IP address does not belong to the list of outbound IPs mentioned in the App Service.
Why is it like that? Where does this IP come from?
Update:
The IP address is shown as private IP address if I search for it.
Regards
Binil
Generally, when web app makes an outbound call to the internet, it uses a set of predefined IP addresses. A storage account could have public or private endpoint to accept the request.
First, you could ensure that if the specific private IP you mentioned is the client request IP from app service to the storage account.
In this case, one of the possible reasons is that you have integrated your app with an Azure virtual network and enabled the integrated vnet service endpoint for Microsoft.Storage. This allow web app access an Azure storage account from a virtual network. See how Azure select a route for more details.
Edit
From this document,
Services deployed in the same region as the storage account use
private Azure IP addresses for communication. Thus, you cannot
restrict access to specific Azure services based on their public
outbound IP address range.
thus, it's properly using a private IP address from apps service to your Azure storage account in the same region over the Azure backbone network. To validate it, you can use a storage account in a different region than the app service.
I'm developing an integration with an API which requires to whitelist customers based on IP addresses. I can easily get outbound IP from Production environments such as Azure or AWS and get those whitelisted.
How can I configure it for my desktop whose public IP keeps on changing after every few hours?
Getting a fixed IP address for your home computer is dependant on your internet provider. Sometimes they offer fixed IPs for 'Business' customers only or such.
Another solution might be to stand up an OpenVPN instance in your cloud then only whitelist that IP address and your expected partner prod addresses. Then you just connect to your VPN to access your API, you can do this from anywhere as your only dependant on the IP address of the cloud OpenVPN instance.
This solution also scales with your development as you only need to add new OpenVPN users to let other developers work with you and don't need their ever changing IP addresses.
I found an easy solution from NordVPN. It has an option to get a dedicated IP VPN :)
I have two environments on jelastic 4.7. On one of them I have a Java Stack and a Redis server that need to be kept private without a public IP address. On the other environment, I have a Node.js Stack that have a Public IP.
So, Im searching the docs exhaustively and can't find the answer to the question.
Can I access the private IP and port of my Redis from the node app?? Every node on Jelastic has a local ip address. Can I access those between environments??
I think it's a simple question. I'm trying to avoid the overhead of creating a public IP Address for Redis.
Can I access the private IP and port of my Redis from the node app??
Every node on Jelastic has a local ip address. Can I access those
between environments??
Yes, you can connect to different nodes of different environments using just a local IP within one hosting provider or its regions (depends on providers setup). Also, you can use Endpoints in order to connect to local IPs of other providers or to the regions within one provider, if direct connection can't be established.
Besides that, you can use, for example, CNAME of database instead of a local IP.