Looking for documentation on our overall networking for WKC on Cloud in order to feel confident in its viability & security. Want to know all connectivity and networking options for WKC.
The recommended way is to use the IBM Cloud Secure Gateway service. WKC has direct support for it.
Here are the docs
for creating a connection.
Here are the docs
for configuring a secure gateway service.
Here are the docs
for all connections available out of the box in WKC.
Related
I'm currently developing an application for a client and their requirement is that the application needs in transit and at rest encryption. I assured that it was and was required to provide documentation for that. I referenced this documentation from Google Cloud's website. They replied by asking if my claim stands in light of the following section
Using a connection directly to a VM using an external IP or network load balancer IP
If you are connecting via the VM's external IP, or via a network-load-balanced IP, the connection does not go through the GFE. This connection is not encrypted by default and its security is provided at the user's discretion
My mobile application uses Firebase SDK to talk to the Firebase database and Firebase functions. I have no background in networking nor do I understand what is exactly being referenced here despite Googling the concepts. Is my data still encrypted? Does the above section apply to my use case?
No, that applies only to VMs and network load balancers. Both Cloud Functions (so long as you're using https for all requests) and the Firebase Realtime database encrypt data in transit.
i have a grpc service where i want to add it to service discovery and grpc client be able to discover it
but i could not find anything online to help me with that.
I am using steeltoe with eureka
thanks
Steeltoe doesn't have explicit support for GRPC, but at this point it doesn't appear to be necessary (because it does work).
See this issue for more info and/or join the conversation
Are the Google Cloud Endpoints only for REST?
I have a virtual machine with cassandra, and now I need (temporarly) to expose this machine for the world (the idea is to run a cassandra client in some computers in my home/office/...). Is Google Cloud Endpoints the best way to expose this machine to world?
I am assuming that you are running Cassandra on a Google Compute Engine (CE). When one runs a compute engine, one can specify that one wants a public internet address to be associated with it. This will allow an Internet connected client application to connect with it at that address. The IP address can be declared as ephemeral (it can be changed by GCP over time) or it can be fixed (I believe there will be a modest charge for its allocation). When one attempts to connect to the software running on the Compute Engine, a firewall rule (by default) will block the vast majority of incoming connections. Fortunately, since you own the CE you also own the firewall configuration. If we look here:
https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureFireWall.html
we see the set of ports needed for different purposes. This gives us a hint as to what firewall rule changes to make.
Cloud Endpoints is for exposing APIs that YOU develop in your own applications and doesn't feel an appropriate component for accessing Cassandra.
I have a situation where messages are being generated by an internal application but the consumers for the messages are outside our enterprise network. Will either of http(s) transport or REST connectivity work in this scenario, with HTTP reverse proxy on DMZ? If not, is it safe to have a broker on the DMZ which can act as gateway to outside consumers?
Well, the rest/http approach to connect to ActiveMQ is very limited as it does not support true messaging semantics.
Exposing an ActiveMQ broker is no less secure than any other communication software if precautions are taken (TLS, default passwords changed, high entropy passwords are used and/or mutual authentication, recent patches applied, web console/jolokia not exposed externally without precautions etc etc).
In fact - you can buy online ActiveMQ instances from Amazon - which indicates that at least they think it's not such a bad idea to put them on the Internet.
I am beginer in learning IBM DataPower so please let me know why it is used and
where it is used and what is the purpose that we use it.
Thank you.
IBM Datapower is called an appliance because it is purpose built with an OS of its own. The datapower appliance is usually located in the DMZ layer where an organization communicates with the other 3rd party vendor. Datapower has the ability to transform messages as well and the inbuilt security feature makes it a stronghold to secure the DMZ layer. It can connect using many protocols such as MQ, HTTP, HTTPS, JMS, SFTP, FTP, IMS , AS2, AS3 etc as well. It is also used to host APIs and SOAP web services. In short it is used for integrating with application outside of the organization layer.