AWS Apprunner with route53 mapping - amazon-route53

I was trying to deploy docker service using aws app-runner. Deploying a service and running it is very street forward. Once I deployed the app, aws gives me url to access my service. Now I want to route traffic from my domain to this url. In route 53 it doesn't seems this option is not available, I might be wrong. In aws app-runner it self there is an option to link the url generated by aws with my domain name. I follow that option but it seems I have to do dns configuration change and CNAM configuration. Is there anyone who have tried this option and able to guid me? Thanks!

Related

IBM Cloud: Kubernetes add-on ALB Oauth2 Proxy for App ID integration fails to start

I deployed a containerized app to my IBM Cloud Kubernetes service in a VPC. The app uses App ID for authentication. The deployment pipeline ran successfully. The app seems ready, but when accessing its URL it gives an internal server error (500 status code).
From the Kubernetes dashboard I found that the ALB Oauth Proxy add-on is failing. It is deployed, but does not start.
The deployment seems to fail in the health checks (ping not successful). From the POD logs I found the following as last (and only) entry:
[provider.go:55] Performing OIDC Discovery...
Else, there is not much. Any advise?
Guessing from the missing logs and the failing pings, it seemed related to some network setup. Checking the VPC itself, I found that there was no Public Gateway attached to the subnet. Enabling it allowed outbound traffic. The oauth proxy could contact the App ID instance. The app is working as expected now.
Make sure that the VPC subnets allow outbound traffic and have a Public Gateway enabled.

How To Configure PrestoDB internal communication in Kubernetes

I'm testing prestoDB with kubernetes, and I want to configure user and password auth, but it is necessary to have https configured.
Could you help me how to do that on kubernetes?
Im following this page:
https://prestodb.io/docs/current/security/internal-communication.html
But I didnt understand which domain I should issue a certificate.
Today Im using kubernetes service name resolution like a discovery uri
discovery.uri=http://prestodb-coordinator-service:8080

Issue with transfer of domain from Google to AWS

I have transferred my domain from Google to AWS 7 days back. The transfer process has been completed in AWS. I have created a public hosted zone in Router 53 and the NS records present in Route 53 are matching with the NS records of my domain in AWS. Also created CNAME records pointed to the application load balancer.
I am able to access my domain inside AWS workspace and even dig command returns the results in my AWS workspace but not working in some machines outside of AWS workspace but when I use load balancer url, I am able to access the application so there are no issues with security group configuration.
Also no dig results when using this url https://toolbox.googleapps.com/apps/dig/
Am I missing something here? Any help is highly appreciated
The issue is resolved after disabling the DNSSEC in Route 53. I think I had not disabled DNSSEC in google before transferring the domain to AWS so it has transferred the DNSSEC with keys to AWS.

How to limit access in Cloud Foundry

I am new to Cloud Foundry.
Is there any way that only specific users can view and update an app deployed in Cloud Foundry?
1.I deployed an app in Cloud Foundry using “cf push”command.
2.After entering “cf push “command I’ve got an message below.
Using manifest file /home/stevemar/node-hello-world/manifest.yml
enter Creating app node-hello-world-example...
name: node-hello-world-example
requested state: started
routes: {route-information}
last uploaded: Mon 14 Sep 13:46:54 UTC 2020
stack: cflinuxfs3
buildpacks: sdk-for-nodejs
type: web
instances: 1/1
memory usage: 256M
3.Using the {route-information} above,I can see the app deployed via browser entering below URL.
https://{route-information}
By this way ,anyone can see app from browser, but I don’t want that to be seen by everyone and limit access to specific user.
I heard that this global IP will be allocated to {route-information} by default.
Is there any way to limit access to only between specific users?
(For example,is there any function like “private registry” at Kubernetes in Cloud Foundry which is not open to public)
Since I am using Cloud Foundry in IBM Cloud it would be better if there is solution using IBM Cloud.
I’ve already granted cloud foundry role to the other user.
Thank you.
The CloudFoundry platform itself does not provide any access controls for applications. If you assign a public route to your application, where the DNS is publicly resolvable and the foundation is on the public Internet, like IBM Bluemix, then anyone can access your app.
There's a number of things you can do to limit access, but they do require some work on your part.
Use a private DNS. You can add any domain you want to Cloud Foundry, even ones that don't resolve. That means you could add my-cool-domain.local which does not resolve anywhere. You could then add a record to /etc/hosts for this domain or perhaps run DNS on your local network to resolve this DNS domain and direct traffic to the CloudFoundry.
With this setup, most people cannot access your application because the DNS domain for the route to your application does not resolve anywhere. It's important to understand that this isn't really security, but obscurity. It would stop most traffic from making it to your app, but if someone knew the domain, they could add their own /etc/hosts header or send fake Host headers to access your application.
This type of setup can work well if you have light security requirements like you just want to hide something while you work on it, or it can work well paired with other options below.
You can set up access controls in your application. Many application servers & frameworks can do things like restrict access by IP address or require user access (Basic auth is easy and it is OK, if you're only allowing HTTPS traffic to your app which you should always do anyway).
You can use OAuth2 to secure apps too. Again, many app servers & frameworks have support for this and make it relatively simple to secure your apps. If you don't have a corporate OAuth2 solution, there are public providers you can use. Exactly how you do OAuth2 in your app is beyond the scope of this question, but there's plenty of material out there on how to do this. Google information for your application language/framework of choice.
You could set up an access Gateway. This would be an application that's job is to proxy traffic to other applications on the foundation. The Gateway could be something like Nginx, Apache HTTPD, or Spring Cloud Gateway. The idea is that the gateway would be publicly accessible, and would almost certainly apply access controls/restrictions (see #2, many of these proxies have access control options that only take a few lines of config). Your actual applications would not be deployed publicly though. When you deploy your actual applications, they would only be on the internal Cloud Foundry domain.
CloudFoundry has local domains, often apps.internal (run cf domains to see if that shows up), which you can use to easily route traffic across the internal container-to-container network. Using this domain and the C2C network, you can have apps deployed to CF that are not accessible to the public Internet, except through your Gateway.
Again, how you configure this exactly is outside the scope of this question, but check out the docs I linked to for info on using the C2C network & internal routes. Then check out your proxy server of choice's documentation.

Getting DNS for Load Balancer in GCP

In Google Kubernetes Engine, I created a Load Balancer (External IP Address). I can access it using the IP address. However, I want to get a domain name. ( I am not asking about buying my own domain and adding DNS records ). I am not able to find how to get the url.
For eg. in Azure, in Azure Kubernetes Service, I created a Load Balancer and added a label. So, I can get a url like http://<dns_label_which_i_gave>.<region_name>.cloudapp.azure.com. So, for trial purpose, I don't have to pay for a domain and I can get an easy to read domain name.
How to get the same in GCP Load Balancer?
With Google Cloud you can't do this. The Load balancer expose an IP and you have to create a A record in your registrar to make the link.