I'm having a domain in Google Domains, but I use custom nameservers from route 53 hosted zone. It was working fine. I first made my app in staging environment. It was working fine. (I used cloudfront)
Now that I set up prod environment (in a different AWS account), I created another hosted zone, and added those nameservers too at google domains.
Now staging is broken.
How to solve this issue? I want my domain to be accessible from both environments (accounts), but it seems like it's one or the other.
The ideal behaviour would be both hosted zones are working properly.
Related
I had my set up in account A:
domain bought
hosted zone
I moved my domain name to account B.
The hosted zone is still in account A.
Why is the traffic routed correctly - I can see the expected content when I access my website, shouldn't make sense to have the hosted zone in the same account as my domain?
Where can I find the docs to clear my mind, please.
There are two items to understand in your question:
Authoritative name servers
Hosted zones
The registrar for your domain contains the IP addresses or hostnames of the authoritative name servers. Those name servers can be located anywhere. Authoritative names servers are the DNS servers used to resolve DNS queries for your domain.
A Hosted Zone is a collection of DNS resource records similar to a database.
In your case, your domain is located in account B, with either hostnames or IP addresses that resolve to resources located in account A. There is no problem with that design and is in fact commonly deployed for security and isolation.
I am trying to deploy my Next.js web app on Vercel with Route53. But I am already using my root domain with main service which is example.com.
I used to deploy with subdomin inside of example.com hosted zone, which is subdomain.example.com.
But I had to add server, cdn, and other 2nd level subdomain like server.subdomain.example.com. So I created a new hosted zone for subdomain.example.com on Route53 and connected with root domain.
So I am trying to add subdomin.example.com on Vercel, but if I add this domain to Vercel project settings, they only get root domain current nameservers.
Is there anyway to add Route53 hosted zone domain to Vercel?
I have a domain registered at Route 53, but I want to have Netlify manage the DNS for this domain (the entire domain, unlike other questions about subdomains). I set the NS record for the domain to point to Netlify's name servers, but Netlify's custom domain configuration tool still claims that DNS is not configured correctly.
Below is a screenshot showing my current Route53 hosted zone configuration, with the NS records clearly pointed at Netlify's DNS servers. I waited for DNS propagation timeouts, flushed Google's DNS cache, and tried other suggestions and nothing worked.
The problem turned out to be that setting the NS records in the hosted zone doesn't actually let Netlify manage the DNS for the domain. Instead, you need to change the nameservers in the Registered Domains section of the Route 53 console. (NOT the Hosted Zones section.)
On that page, remove the AWS nameservers and add Netlify's nameservers. It will look like this when it's done: (Note that your nameserver hostnames may be different; copy them from Netlify's Custom Domain page)
Kudos to Netlify's support team for writing a doc that explains how to do this. It was admittedly hard to find this doc in Google because there are so many different Netlify docs about various DNS intricacies. But eventually Googling helped me find it.
In retrospect, it's now obvious to me that adding DNS records to a zone (even NS records!) can't change the nameservers used by the domain. But it would have been nice if the AWS console included this info when I edited the NS records so I didn't waste a few hours.
Leaving this answer here for the next victim. 😁
For domain registered at Route 53 and Netlify managing the DNS. It worked for me by changing the name servers both from the "Registered Domain" area and "Hosted Zone".
I have transferred my domain from Google to AWS 7 days back. The transfer process has been completed in AWS. I have created a public hosted zone in Router 53 and the NS records present in Route 53 are matching with the NS records of my domain in AWS. Also created CNAME records pointed to the application load balancer.
I am able to access my domain inside AWS workspace and even dig command returns the results in my AWS workspace but not working in some machines outside of AWS workspace but when I use load balancer url, I am able to access the application so there are no issues with security group configuration.
Also no dig results when using this url https://toolbox.googleapps.com/apps/dig/
Am I missing something here? Any help is highly appreciated
The issue is resolved after disabling the DNSSEC in Route 53. I think I had not disabled DNSSEC in google before transferring the domain to AWS so it has transferred the DNSSEC with keys to AWS.
I am new to Cloud Foundry.
Is there any way that only specific users can view and update an app deployed in Cloud Foundry?
1.I deployed an app in Cloud Foundry using “cf push”command.
2.After entering “cf push “command I’ve got an message below.
Using manifest file /home/stevemar/node-hello-world/manifest.yml
enter Creating app node-hello-world-example...
name: node-hello-world-example
requested state: started
routes: {route-information}
last uploaded: Mon 14 Sep 13:46:54 UTC 2020
stack: cflinuxfs3
buildpacks: sdk-for-nodejs
type: web
instances: 1/1
memory usage: 256M
3.Using the {route-information} above,I can see the app deployed via browser entering below URL.
https://{route-information}
By this way ,anyone can see app from browser, but I don’t want that to be seen by everyone and limit access to specific user.
I heard that this global IP will be allocated to {route-information} by default.
Is there any way to limit access to only between specific users?
(For example,is there any function like “private registry” at Kubernetes in Cloud Foundry which is not open to public)
Since I am using Cloud Foundry in IBM Cloud it would be better if there is solution using IBM Cloud.
I’ve already granted cloud foundry role to the other user.
Thank you.
The CloudFoundry platform itself does not provide any access controls for applications. If you assign a public route to your application, where the DNS is publicly resolvable and the foundation is on the public Internet, like IBM Bluemix, then anyone can access your app.
There's a number of things you can do to limit access, but they do require some work on your part.
Use a private DNS. You can add any domain you want to Cloud Foundry, even ones that don't resolve. That means you could add my-cool-domain.local which does not resolve anywhere. You could then add a record to /etc/hosts for this domain or perhaps run DNS on your local network to resolve this DNS domain and direct traffic to the CloudFoundry.
With this setup, most people cannot access your application because the DNS domain for the route to your application does not resolve anywhere. It's important to understand that this isn't really security, but obscurity. It would stop most traffic from making it to your app, but if someone knew the domain, they could add their own /etc/hosts header or send fake Host headers to access your application.
This type of setup can work well if you have light security requirements like you just want to hide something while you work on it, or it can work well paired with other options below.
You can set up access controls in your application. Many application servers & frameworks can do things like restrict access by IP address or require user access (Basic auth is easy and it is OK, if you're only allowing HTTPS traffic to your app which you should always do anyway).
You can use OAuth2 to secure apps too. Again, many app servers & frameworks have support for this and make it relatively simple to secure your apps. If you don't have a corporate OAuth2 solution, there are public providers you can use. Exactly how you do OAuth2 in your app is beyond the scope of this question, but there's plenty of material out there on how to do this. Google information for your application language/framework of choice.
You could set up an access Gateway. This would be an application that's job is to proxy traffic to other applications on the foundation. The Gateway could be something like Nginx, Apache HTTPD, or Spring Cloud Gateway. The idea is that the gateway would be publicly accessible, and would almost certainly apply access controls/restrictions (see #2, many of these proxies have access control options that only take a few lines of config). Your actual applications would not be deployed publicly though. When you deploy your actual applications, they would only be on the internal Cloud Foundry domain.
CloudFoundry has local domains, often apps.internal (run cf domains to see if that shows up), which you can use to easily route traffic across the internal container-to-container network. Using this domain and the C2C network, you can have apps deployed to CF that are not accessible to the public Internet, except through your Gateway.
Again, how you configure this exactly is outside the scope of this question, but check out the docs I linked to for info on using the C2C network & internal routes. Then check out your proxy server of choice's documentation.