How do I simulate a VPN connection to Google Cloud? - kubernetes

So I have GCP set up and Kubernetes, I have a web app (Apache OFBiz) running on pods in the GKE cluster. We have a domain that points itself to the web app, so essentially it's accessible from anywhere on the internet. Our issue is since this is a school project, we want to limit the access to the web app to the internal network on GCP, we want to simulate a VPN connection. I have a VPN gateway set up, but I have no idea what to do on any random computer to simulate a connection to the internal network on GCP. Do I need something else to make this work? What are the steps on the host to connect to GCP? And finally, how do I go about limiting access to the webapp so only people in the internal network have access to the webapp?

When I want to test a VPN, I simply create a new VPC in my project and I connect both with Cloud VPN. Then, in the new VPC, you can create VM that simulate computer in the other side of the VPN and thus simulate what you want.

To setup a VPN on GCP you can use Cloud VPN using static or dynamic routing, you will need to configure a remote peer from the location you want to access your GCP resources to establish the connection towards the Cloud VPN gateway on GCP end.
This means you may require a router that supports creating VPN tunnels on your on-premises or use a host that acts like a router to establish this connection using a VPN software towards Cloud VPN (like Strongswan, for example).
You can block external access to the resources on your VPC network by using GCP firewall rules and just allow specific ports or source IP ranges as you wish.
Another option, even if it's not a VPN or encrypted traffic, is to only allow ingress traffic from the public IP from where you would like to connect to your internal VPC, but this is less secure and would only work if you have an static public IP on your on-premises.

Since you said this is a school project, I would recommend asking your teacher for more direct advice. That said, you can't "simulate" a VPN but you can set up an IPSec client on your laptop or whatever and actually connect to it. Unfortunately Google doesn't appear to have any documentation on this so I'm guessing they presume you already know IPSec well enough to write a connection config yourself.
Using kubectl port-forward might be an easier solution.

Related

GCP Add VPN Tunnels from one Peer VPN Gateway to another Peer VPN Gateway appears impossible; only the source VPN Gateway is available in Peer list

Within one project, I created two VPC networks, one in region us-central1 and one in region us-east1. Each has subnet 10.0.x.0/24. I know I could use VPC peering to connect these two subnets, however my goal is to verify I can setup a HA VPN connection between these two VPC networks.
Foreach VPC network I created an HA VPN gateway, named for their respective region: "vpn-gateway-central" and "vpn-gateway-east"; each has two public IP's for HA. I created two (one per each VPC) cloud routers for BGP use.
I fail when I try to create the VPN tunnels. My expectation based on available online tutorials (that have an older GCP UI) is that I create the tunnels in both directions, just like non-cloud VPN tunnels. From the central to the east, I attempt to create the tunnel in the "central" VPC, and I expect its remote peer(s) will be the set of IP's from the "east" VPC.
The GCP UI does something unexpected: It has me "SELECT PROJECT", and then it populates a drop-down for the "VPN gateway name" from which I select the peer. In this case, I would expect to see a list of VPN gateways that DO NOT exist within the VPC network from which I am starting. Thus, if I am starting from the "central" VPC network, then I expect to see the "east" VPC network in the "VPN gateway name". However, all I see is the VPN gateway name within the "central" region. The initiator and the peer IP's cannot be the same, but that is the result of making the only selection offered in the listbox "VPN gateway name".
I clearly cannot create this tunnel. Is this a bug in the new UI? Is this a beta? This GCP console UI has definitely changed from the ones I see in the online tutorials - where it appears to work (it exposes the remote VPN gateways, as one would intuitively expect, not the ones resident to the VPC network from which I am creating the tunnel).
This is my first VPN within GCP, so I'm likely missing something. However, in any case, if it's not broken, then at least it appears confusing. I will appreciate clarification/trick/workaround.
link to the GCP "Add VPN tunnels" dialogue where the unexpected list of VPN gateway names appears
I added another pic that shows the dialogue.
I didn't notice any issue regarding Cloud VPN from GCP.
To create a HA VPN between VPCs, this is the proper documentation.
In case you cannot create via UI, you can try to create it via gcloud commands, and you'll get more information about the issue that could be happening.
I recommend to check this, follow the guide and paste here the output of the gcloud commands if it fails.

Is possible to secure communication between Google App Engine and Google Compute Engine?

I deployed an app with nodejs on Google App Engine and mongodb on Compute Engine.
Without security rules, GAE can successfully connect to mongodb, but when I set a security rule which allow to access port 27017 of the VM from the App Engine service account I get timeout request so mongodb is not reachable.
As is not possible to set a static ip to GAE, is there another solution to securing mongodb on Compute Engine?
Check the priority of firewall allow rule and deny rule. Lower numbers have higher priorities. Be sure that the allow firewall rule has a higher priority than other rules that might deny traffic.
Yes, at the moment you're not able to set a static external IP on your GAE application.
There's a possible workaround for GAE Flex to solve your issue:
reserve an external static IP
create f1-micro VM instance with reserved external IP address (this likely fits in the Compute Engine free tier)
create a firewall rule to allow connection to MongoDB server from reserved external IP
create a SOCKS proxy by running a ssh client that routes the traffic through created VM similar to this example
configure nodejs application to use SOCKS Proxy
connect to MongoDB server
UPDATE
Also, if you application can run over HTTP proxy you can Squid proxy installed on this VM instead of SOCKS Proxy.

How can i connect and access gcloud mysql?

Also, i need to connect with the same project hosted app with the cluster.
and access the database.
i don't know which IP i give in the mysql.createconnection in my app.
in my node.js app
var connection = mysql.createConnection({host:"IP",user:"username",password: "password",database:"databasename"});
"How to connect to Cloud SQL" is kind of a broad question, and you haven't given very many details as to your environment, but I'll try to point you in the right direction.
First there are generally 3 ways to connect to Cloud SQL - via Environment connectors, Private IP, Public IP.
Environment Connectors (App Engine & Cloud Functions)
If you are using Google App Engine or Google Functions, you should use the /cloudsql socket provided by the environment. See this page here for examples.
Private IP (Compute or Kubernetes Engine)
To connect via Private IP, your app needs to have access to a VPC. This can be either a Compute VM or a GKE cluster. Then you app can access the "Private IP" for the instance just like it would a local database.
Public IP (Anything with access to the internet)
Finally, you can connect via Public IP. This can be done as long as you have access to the internet, but by default public connections need to be authenticated. This can be done 3 different ways:
Using the Cloud SQL proxy
Using an SSL cert
Whitelisting an IP address
Hope this helps.

Allow load balanced instances to connect single compute instance postgresql server

I am looking for GCP networking best practice, where I can allow connection of auto-scaled instances to Postgresql server installed on separate instance.
So far I tried whitelisting load-balancer IP within firewall and postgresql config file, but failed.
Any help or pointer is highly appreciated.
The load-balancer doesn't process information by itself, it just redirects Frontend addresse(s) and manage the requests with Instance Groups.
That instance group should manage the HTTP requests and connect with the database instance.
The load-balancer is used to dynamically distribute (or even create additional instances) to handle the requests over the same Frontend address.
--
So first you should make it work with a regular instance, configure it and save the instance template. Then you can proceed with creating an instance group that can be managed by a load-balancer.
EDIT - Extended the answer from my comment
"I don't think your problem is related to Google cloud platform now. If you have a known IP address for the PostgreSQL server (connect using an internal network IP address so it doesn't change), then make sure your auto-balanced instances are in the same internal network, use db's internal IP and connect to it."

UDP Socket over cloud provider

I am using Appache Tomcat to host webpages that can be accessed by authenticated users and a UDP socket has been opened on port 14550 in which devices sends a stream of communication messages. The system is working fine in the local network. I tried to host the this in Openshift and later found that Openshift does not allow external UDP communication. Now I am considering Amazon EC2 instance, new VM in Azure or in GCP. I would like to know that will there be any issue in using the sockets from my application. Thank you in advance.
No, on AWS EC2 everything is allowed, you just need to configure your Security Group to allow specific web traffic, UDP traffic can also be allowed their.
I was also looking for possible workaround for this issue, but it's quite easy irrespective of what platform language you are using to develop socket program on AWS EC2, as am using Node.js nginx in my case, this should work for all supporting platforms.
Configure Security Group
In the AWS console, open the EC2 tab.
Select the relevant region and click on Security Group.
You should have an default security group if you
have launched an Elastic Beanstalk instance in that region for your
app.
click on Actions button at top, and select Edit inbound rules.
here in Type column select All UDP, or you can set some Custom UDP
rule as well to listen at your socket port.
And there just enter port of your UDP server Ex: 2020.
And that's it!
Note: If something is not working, check the "Events" tab in the Beanstalk application / environments and find out what went wrong.