We would like to use the Google Translate API from a host which doesn't have open access to the Internet. To setup the firewall rules I would need the list of possible IP addresses for www.googleapis.com. It is resolved to different IP addresses depending on the location. It seems to be difficult to create a future proof firewall rule.
Do you know how could I get the list of IP addresses or network ranges for the Google API servers?
The IP addresses used for any given googleapis.com server could change. Google doesn't have just one network block which they host all of their content out of, they have a bunch of them - and they change over time.
There are several ways you could setup your restricted network to allow access to *.googleapis.com without hard-coding IP addresses. I don't know anything about your setup, but I've found that using an internal proxy is often the best bet when you want to allow/restrict access to a domain.
Related
Unfortunately, we have to interface with a third-party service which instead of implementing authentication, relies on the request IP to determine if a client is authorized or not.
This is problematic because nodes are started and destroyed by Kubernetes and each time the external IP changes. Is there a way to make sure the external IP is chosen among a fixed set of IPs? That way we could communicate those IPs to the third party and they would be authorized to perform requests. I only found a way to fix the service IP, but that does not change at all the single nodes' IPs.
To be clear, we are using Google's Kubernetes Engine, so a custom solution for that environment would work too.
Yes, it's possible by using KubeIP.
You can create a pool of shareable IP addresses, and use KubeIP to automatically attach IP address from the pool to the Kubernetes node.
IP addresses can be created by:
opening Google Cloud Dashboard
going VPC Network -> External IP addresses
clicking on "Reserve Static Address" and following the wizard (on the Network Service Tier, I think it needs to be a "Premium", for this to work).
The easiest way to have a single static IP for GKE nodes or the entire cluster is to use a NAT.
You can either use a custom NAT solution or use Google Cloud NAT with a private cluster
I have a hardcoded DDNS URL in an application that I can no longer modify the code for. It currently points to a server using its IP address and I'm trying to move over to Firebase.
My problem is that I need to update the DDNS URL with an IP address but I've only got a hosting URL like https://myapp-123q4.firebaseapp.com/.
My understanding is (from this Google Groups post) that because the entire system is shared, there are some specific IP addresses that can be used. Is there any way to access my own firebase hosting URL using an IP address?
(Pinging my firebase URL gave me the IP 151.101.1.195 which is one of the ones mentioned on the above linked post.)
You should not depend on direct IP addresses for accessing Firebase Hosting. There are simply not enough IPv4 addresses available for everyone to have exclusive access to one. You need to use the host name in the HTTP request so that the server can route the request to the correct content.
I am logging every user's IP when they access the company's page.
There are two ways to access the page from inside the local network:
http://company/webpage
and
https://webpage.company.com
What bugs me is that even when the users use the https global IP, their accesses are still recorded on database with their IP as 10.50.1.12 or 10.50.1.100.
Does that means that the browser or something else is redirecting the https://webpage.company.com to company/webpage? Or does that mean that I'm using a flawed method to log the users IP?
Another way to ask my question (just to make sure I'm being clear): if I'm accessing my Internet web page from inside the LAN network, am I effectively going outside my network and then back? If not, where am I going wrong with my logging?
Code used to log user's IP:
user.LastIP = HttpContext.Current.Request.UserHostAddress;
I'm curious about this because I want to make sure the users inside the company will access the page using exclusively the LAN Network. The goal is to save bandwidth usage, which is scarce.
Edit:
Pinging the https://webpage.company.com from inside the LAN network will result in a reply from a global IP address like 194.xxx.xxx.xxx. So I'm clearly getting the user's IP wrongly. What would be the ideal way of retrieving the IP from the page accessing entity?
Access to http://company/webpage will result in a DNS lookup of the host name "company". To resolve this, DNS will need a fully qualified domain name (fqdn), so it will add a top level domain (according to the configured search list in the client). In this example, it seems fair to assume that the fqdn will be "company.com". This, in turn, may very well resolve to the same IP address as the "webpage.company.com". You can check this by using dns lookup utilities like 'nslookup' and 'dig', or simply by using 'ping company' and 'ping webpage.company.com'.
The users IP addresses you mention, 10.50.1.12 and 10.50.1.100, seems to be the local IP addresses of the client hosts. I base this assumption on the fact that these IP addresses come from the RFC-1918 address range which is used for internal addresses. My guess is that these are the correct IP addresses, and that your logging works fine.
The users IP address you will log from accessing 'http://company/webpage' and 'https://webpage.company.com' should in most cases be the same. You can see it this way: it doesn't matter what the target URL is, traffic is still coming from the same host, the same IP address.
In any case, you most probably don't need to worry about any traffic leaving your local network.
I'm currently revising for an exam and I'm stuck on a question which is:
"Explain the static and dynamic host configuration approaches."
I'm unsure if the answer is correct but what I've write is this:
static host configuration are hard-coded addresses that will only work on one specific network segment, which is intended for stationary computers
dynamic host configurations work best with portable computers like laptops that move between network segments.
that's my answer, could anyone help me to understand if this is correct or not?
You are correct about the difference. But there s a lot more than what you have stated.
DHC : Used to configure IP addresses automatically to the systems without any intervention of network administrator.
For Eg. When you register for a new internet connection, your ISP(network administrator, in this case) will provide you access to the DHCP server which ll allot you the IP address on the runtime.
To prevent the same IP address being assigned to two different computers
Also the main use is, ISP s will have a range of IP addresses with them. You ll be assigned any of their IPs dynamically by DHCP Server when your lease time expires for a particular IP that have been assigned earlier
SHC : Used to manually configure the IP addresses to systems.
When you knew how many systems are going to be present exactly inside the network
And when you want to uniquely identify a system in the ntwk using its IP address
For Eg. When you configure LAN in your house, between, say, around 4 computers. You will know exactly the number of systems in the group. So you don't have to allot a DHCP Server to allot the IP addresses for these 4 systems. YOu manually configure them
Hope that helps :)
I would like to get the user's IP locally without any invoking any service.
Looking for a purely client side solution.
In general this problem is not solvable because the client computer might not even know its own external IP address. This happens when the client is behind a NAT or some other kind of firewall.
Note that many different client machines might share the same external IP address, and also different client machines might have the same internal IP address but different external IP addresses. Or, I can even imagine a situation where two different clients have the same internal and external IP addresses.
If you would explain why you believe you need this information, another solution to your actual problem might be possible.