I want to deploy a CloudFoundry private in my data center. I do want to expose port 80 traffic for internet accress.
I do not want to expose all the CloudFoundry roles (Cloud Controller, DEA, Haelth Manager. ..etc) on the public network.
Is a there a best practice document on configuring Cloud Foundry?
Do I need to implement a external router that will do port 80 port forwarding to Uhuru NGIX Router?
The network isolation is done at the cloud layer, i.e. vSphere, OpenStack, VCloud or AWS. Assuming you deploy this using bosh, you need to configure your networks so that everything is on a private network, except for the routers, which need to have an interface on the internet facing side. But in front of the routers, you should have your load balancers, so not even the routers need to be connected directly to the Internet.
Related
Currently I'm using ngrok.io to expose local service (ex. localhost:3000) to the outside world. What can I do to expose internal company service that is only accessible within VPN to the outside world.
That depends on the network in which your service is located.
If it's a home network, you need to make sure you're not behind your internet provider's NAT (in other words, that you have a dedicated public IP address), then log into your router and configure port forwarding to your machine. If you don't have a dedicated public IP, or just want your service to work independently from your personal machine, consider hosting it on a VPS.
If it's a company network, your system administrator should be able to handle this (after deciding whether it's appropriate).
Networking newbie here. From the Documentation it feels like both NSG and Routing tables(UDR) are doing the same thing - capable of defining ACLs at multiple levels (Vnet, Subnet, VM)
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
So how are they different and when is each used?
thanks.
Azure automatically creates a route table for each subnet within an Azure virtual network and adds system default routes to the table. The route table is like a networking map that tells the traffic from one place to another place via the next hop. This generates the "path" but does not filter traffic.
The Azure network security group is used to filter network traffic to and from Azure resources in an Azure virtual network. It contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. If there is no route to one place from a subnet, you even do not need to configure the security rules because there is no path. So when you consider the NSG it should have a successful network route.
For example, usually, we can access Azure VM in Azure virtual network via SSH or RDP over the Internet but it has a less secure way to expose the port 22 or 3389. We can restrict access to your Azure VM via specifying the source IP address in the NSG. This setting allows traffic only from a specific IP address or range of IP addresses to connect to the VM. Read more details here. In this scenario, we need to ensure that there is a route to the internet from your Azure virtual network and vice versa.
I want to make my own cluster, So I plan to buy 3 raspberry pi( for being as server) 1 for master node and 2 for worker nodes. I got one public Ip(router). And I will use kubeadm to create a master node. And use token to join master node from other 2 remaining ras-pi. All raspberry pi are in the same LAN ( router). Normally if I run webserver on my laptop on port 80. My laptop has 192.168.1.3 private Ip. And I do port forwarding from router to my laptop. I can access website through Public Ip.And if I run my webserver on container and do load balancing with k8s on 2 worker nodes( raspberry pi) So how can I handle it. Where should I do port forward to from my router. So how can I bring client from public ip to my any service in my own cluster. I research for it and I can use node port to access but I think it’s not good to do it because it access directly to a host machine not through cluster so another way is making my own loadbalancer but I don’t know How to do
So I want to get some advice how to do it or anything that to achieve my goal. I don’t care if it’s tough or difficult. I just want to success it to get some knowledge and publish it please can someone clarify me
Use nginx ingress controller to route the calls to k8s services in the cluster. That way you don't have to use node port type service objects.
Please consider using of MetalLB (a load-balancer implementation for bare metal Kubernetes clusters) together with the NGINX Ingress controller.
It would require to setup port forwarding in your home router on ports (80/443) to one of your worker nodes.
Here is how this setup would look like in your case:
I am trying to create a small academic project in the area of home automation. I explored various protocols and standards in IOT domain and find COAP close to my requirements.
The intent is pretty simple: To have a peripheral at home (like bulb, temperature sensor etc) which act as COAP server and expose certain resources and services. Since COAP uses an addressing scheme similar to web, any client having the address of this server shall be able to talk to this COAP server (i.e. peripheral) and control its attributes.
I have certain doubts about how a client not present in the same LAN as the server, can discover this server and the resources exposed by it. I understand that COAP facilitates resource discovery using CoRE link format but it seems that it primarily uses multicast which can only work within a LAN. I don't want to put a resource directory server at home and various COAP servers registering with it and then this directory server talking to a server sitting in the cloud. I want to have the ability to just install a peripheral at the home which can communicate to a remote client (like COPPER) using wifi home network. But how to discover the COAP server sitting at home from a remote location and then talk to it considering that COAP server will be on a private IP address.
Is this really possible using just COAP?
As you're sitting behind a NAT, that will allow neither direct discovery nor connections; CoAP will not try to magically pierce that.
Popular ways out are:
Use IPv6 (obliviating the use of a NAT) and (at least selectively) disable the firewall. You will still only be able to do discovery locally, but once discovered, you can connect to your devices from anywhere.
Use a VPN to make your mobile device act as if it were in the NAT.
Run a CoAP proxy at the router with a port open to the outside, and tell your mobile device to connect through that proxy. This does not give you local discovery either.
For the proxy and IPv6 cases, you can then still run a resource directory in your local network. That does neither need to connect to nor accept registrations from any cloud service, but it can help you do the very discovery that you'd like to do with multicast but can't because your mobile device is too far away. Both the resource directory and the proxy should be configurable to not talk to devices outside the local network unless they are authenticated.
Make your router accept HTTP requests , and run a HTTP to CoAP proxy in your system, access your CoAP devices via your IP thought HTTP-CoAP proxy.
I have been looking for an answer to this problem, but I cannot find what I am looking for. I think, perhaps, it is because I lack the knowledge to ask the question in meaningful way.
I have been learning a lot about remote access to devices at home. I know that ISP's change public IP addresses regularly (dynamic IP address). I know that to get around this, one could use a service like "no-ip", etc. Or one could get a static IP address.
What I do not understand is how some of the latest home automation devices are able to be controlled remotely without use of a static IP, or a service like "no-ip". For example, a wifi enabled thermostat, or lighting system.
If the device had a built in server, or client, then I assume that the device could connect to an outside server in a remote location. The user could then also log into that server and send commands to the device. What I don't understand is how commands sent to the device from a cell phone, for example, can reach the home device. Presumably the off site location of the server would have to know the public IP address where the devise is located, and then port-forwarding would have to be set up to allow access to the device.
What am I missing here? Is it possible to create a homemade wifi enabled thermostat, webcam, or other device without using port-forwarding, no-ip, or a static IP?
Well, there are several ways to bypass the inbound connection constraint of NAT protocol. Such as:
A virtual adapter on the device configured to a VPN server that has an inbound port open ready to transfer data. Various open source solutions such as openVPN are considered as great examples for this service over IOT boards like Raspberry Pi, Beagle Bone, etc. These are used as gateways often. Further, they communicate with the microcontrollers over popular IOT protocols such as MQTT, COAP, etc.
Another solution is to create a port forwarding tunnel, since the router won't block the outbound connection. There are various tunneling services that are availble such as localtunnel, ngrok, etc. You could also use a cloud server that has a public IP such as AWS, DigitalOcean, etc. Again as above mentioned point, they can be implemented in the gateways.
Some devices "phone home" to a server so that there are ports open between them and the servers, and the mobile apps just contact the servers. This is the same way your web browser can receive web pages from a web server. If you have a NAT router, the router must open a port from the inside device to the outside server. This is maintained in a NAT table with expiration timers for UDP and session monitoring for TCP.