I am a programmer trying to get Rancher (Kubernetes) setup. Rancher's config file has a setting called service_cluster_ip_range.
It expects a CIDR notated subnet.
My network team gave me a "24" subnet. They told me that the IP address range I can use is 10.70.9.11 - 10.70.9.254.
As I understand things, when you say 10.70.9.0/24 you are referring to 10.70.9.1 - 10.70.9.254.
When I asked my network team if I could have addresses 1 - 10 as well I was told that they were reserved for network gear (and that the network would fail if they gave me those addresses).
So, my question is does CIDR deal with exclusions like this? Can you say something like 10.70.9.0/24 Exluding (.1 through .10) or something like that?
Or will have have to give up a bunch of addresses and do 10.80.9.128/25?
You cannot express exclusions with CIDR notation. You can give up bunch of IP addresses by using /25 range.
Related
Finding it difficult on how to apply firewall rules for Global Load Balancer & DNS records managed as part of IBM CIS service. Unable to find descriptive documentation regarding that.
WOuld appreciate if we can get the help on how to address below concerns:-
We've enterprise plan for IBM CIS service & currently under a single CIS instance, we have 2 Global Load balancers plus 4 DNS records managed via it.
We have a requirement for below :-
1) To whitelist Global Load Balancers to be accessible only from the defined set of IP ranges
2) To whitelist DNS records to be accessible only from the defined set of IP ranges
3) TO Blacklist certain Global Load Balancers URL patterns
To us, it not clear how to use the feature "IP rule" or "Domain lockdown" , Examples or scenario based approach which explain the use -case of each these options would help.
I am part of the development team for CIS. Can you please open a Support Ticket with the following information
CRN for the Instance and Domain name
Details on the Firewall Rules you want to add
1) To whitelist Global Load Balancers to be accessible only from the defined set of IP ranges
2) To whitelist DNS records to be accessible only from the defined set of IP ranges ----- Are you asking for Private DNS.
3) TO Blacklist certain Global Load Balancers URL patterns ---- Can you please give examples?
Thanks Vasu
I am developing a custom Alexa Skill and have a requirement where I want Alexa to access REST APIs that are hosted locally on http://localhost:8080? Any idea how to do this?
Thanks!
If you really want to do this, and I’m assuming you are hosting the skill on AWS Lambda, it would involve quite a bit of work.
Your local endpoints need to be accessible from outside of your network, which requires port forwarding in your router to your machine where the endpoints are hosted. This needs to be configured in your router.
An easier way is to deploy your project containing the API to something like Heroku, which can be done easily. They give you a domain and make the endpoints accessible to Lambda. This should be possible within their free tier.
Here' a link to a pretty good article about how IP addresses work.
Allowing a device sitting on your local network (eg. a laptop computer or Raspberry Pi connected to your wifi) to be accessed from outside your local network (eg. from a service running on AWS) will involve mapping 2 separate IP addresses:
The IP address assigned to your router (your public IP)
The private IP addresses assigned by your router to your devices (laptop, iPhone, RPi, etc).
You have a couple options for allowing your router's IP (#1) to be accessible from outside your local network:
a. Pay your internet provider to provide you with a static IP address
b. Use a dynamic DNS service such as DuckDNS or No-IP.
Once you have a fixed public IP that can be used to access your router, you will then need to map a port on your router (#1) to the device IP on your local network (#2). This is usually referred to as "port forwarding". Most routers will support configuring this. In effect, your tell your router "when you get a message to : pass it to my laptop :"
Your local private IP address will typically have an IP value like 192.168.0.23 (where the 23 can be anything from 1 to 254).
An outside IP will start with something other than 192. Refer to the first link above regarding IP ranges.
You can google "port forwarding" and "public IP" for more info on how IP addresses and port forwarding work, but hopefully this will help get you started. It may seem a bit complicated at first, but if I can understand it, then anyone can :-)
Sorry if I have this in the wrong community but I'm hoping one of you can help me out anyway.
I have a web hosting account with a UK company who I'm happy with, but I'd like to set up a little hosting account from my laptop, just to see if it's possible and easy enough to do really.
Trouble is I've been doing a lot of research online but coming up empty whenit comes to more of a "complete guide". Do any of you know of a good resource for setting up a home server for publishing "Live" websites with custom TLD domain names? I have a localhost server running and files hosted on there but I'm really looking for help with the IP and DNS parts for the custom domains.
For reference, I have a machine running Win7, Appserv 2.5.10, UK broadband and a .co.uk domain name registered with 123-reg.
Any help would be hugely appreciated.
You'll need to:
Point your domain to your laptop.
If you get static public IP address from your ISP, then you can just point the A record to this IP address.
Where do I set this A record? Almost all domain registrars give you a nameserver for free. You point your domain to their nameservers (generally ns1.somedomain.com and ns2.samedomain.com etc.). In the nameserver config, create a A (stands for authoritative) record and put in your static IP address.
What if my ISP doesn't give me an static IP address? This is where services like dyndns come into picture. They give you an agent that you'll install on your laptop, it detects the change in IP address and automatically updates the Nameservers accordingly. There are some free variants of dyndns as well if you don't want to spend money on this.
But my laptops IP address is something like 192.168.x.x and my site runs on localhost (127.0.0.1)? Your laptop is most likely NATed. Think about your public IP address to be that of your router. You will need to forward any connection coming to your router on port 80 or 443 to your laptop's (192.168.x.x) corresponding ports. This is called Port-Forwarding and all routers support this. Port-Forwarding is done by logging on to the admin interface of your router (Many times its at http://192.168.0.1 or http://192.168.1.1).
But again my application is accessible at localhost? You need to make sure your apache/nginx listens on 0.0.0.0 or atleast 192.168.x.x interface. This is how computers outside your laptop will be able to make connection to your laptop on port 80/443.
My internet connection has a dynamic IP adress which keeps changing every time the modem is restarted, so I have a hard time configuring the Authorized Networks in Access Control.
This is explained at https://cloud.google.com/sql/docs/access-control#dynamicIP .
Your options are, and I quote:
Use a proxy service so that your application appears to come from only one IP address. Add this address to the authorized networks that can connect to the instance.
Use a CIDR range that covers all of the IP addresses from which your service might connect.
Use the CIDR range 0.0.0.0/0, which allows all external IP addresses to connect.
The third and last option, despite its attractive simplicity has implications that may make it undesirable -- read the docs I'm pointing to.
I'm implementing the PASV mode in a FTP server, and I send to the client the IP address and port of the data end point. This is stupid because the IP is actually where the client is already connecting, so there ire two options:
How could I get the public IP
address from a given instance? Not
the VIP, but the public one.
How could I get the original target
IP address that the user used from
a Socket object? Considering routers and load balancers in the middle :P
An answer to any of this questions would do, although there is another way that could work... may I get the public IP address doing a DNS look up of myapp.cloudapp.net?
A fourth option would be use the Azure Management API library... but, too much trouble :P.
Cheers.
Not sure if you ever figured this out, but here's my take on it. The individual role instances are all behind the Windows Azure load balancer and have no idea what the original, outward-facing IP address is. Also, there's no Management API call that returns IP address - Get Deployment returns the URL but not the IP address. I think the only option is going to be a dns lookup.
Having said that: I don't think you can host a passive ftp server in your role instance (at least not elegantly). You may open up to 25 input endpoints on your role (up from 5 - see my recent blog post about this update), but there's manual work involved in the configuration. I don't know if your ftp application lets you limit your port range to such a small number of ports. Also:
You'd have to define each port as its own input endpoint (this is the manual labor part I mentioned) - input endpoints don't allow a port range to be specified, unlike the internal endpoints.
You'd have to specify the port number that's used internally, and the port numbers would need to be sequential
One last thing on ftp: you should be able to host an sftp server with no trouble, since all traffic comes through one port.
The hack that I'm contemplating right now is to retrieve http://www.icanhazip.com/. It isn't elegant and is subject to the availability of that service, but it gets the job done. A better solution would be appreciated!