Something similar as with Vyatta Gateway is their possible to have the transit Vlan on VM.
You can not create transit vlan on virtual server as you do with vyatta gateway, because a Network Gateway is sized to handle the routing load for multiple VLANs and the virtual server no.
For more information you can review these documents:
https://www.ibm.com/cloud/virtual-servers
https://knowledgelayer.softlayer.com/topic/gateways
https://knowledgelayer.softlayer.com/learning/network-gateway-devices-vyatta
Related
So I have GCP set up and Kubernetes, I have a web app (Apache OFBiz) running on pods in the GKE cluster. We have a domain that points itself to the web app, so essentially it's accessible from anywhere on the internet. Our issue is since this is a school project, we want to limit the access to the web app to the internal network on GCP, we want to simulate a VPN connection. I have a VPN gateway set up, but I have no idea what to do on any random computer to simulate a connection to the internal network on GCP. Do I need something else to make this work? What are the steps on the host to connect to GCP? And finally, how do I go about limiting access to the webapp so only people in the internal network have access to the webapp?
When I want to test a VPN, I simply create a new VPC in my project and I connect both with Cloud VPN. Then, in the new VPC, you can create VM that simulate computer in the other side of the VPN and thus simulate what you want.
To setup a VPN on GCP you can use Cloud VPN using static or dynamic routing, you will need to configure a remote peer from the location you want to access your GCP resources to establish the connection towards the Cloud VPN gateway on GCP end.
This means you may require a router that supports creating VPN tunnels on your on-premises or use a host that acts like a router to establish this connection using a VPN software towards Cloud VPN (like Strongswan, for example).
You can block external access to the resources on your VPC network by using GCP firewall rules and just allow specific ports or source IP ranges as you wish.
Another option, even if it's not a VPN or encrypted traffic, is to only allow ingress traffic from the public IP from where you would like to connect to your internal VPC, but this is less secure and would only work if you have an static public IP on your on-premises.
Since you said this is a school project, I would recommend asking your teacher for more direct advice. That said, you can't "simulate" a VPN but you can set up an IPSec client on your laptop or whatever and actually connect to it. Unfortunately Google doesn't appear to have any documentation on this so I'm guessing they presume you already know IPSec well enough to write a connection config yourself.
Using kubectl port-forward might be an easier solution.
I have an AWS account with a VPC in Ireland and another in Sydney, which are connected via VPC peering.
I have 2 Windows servers, one in Ireland, one in Sydney, both are in a Private Subnet. From a server in Ireland I can RDP to the server in Sydney using it's private address, therefore my VPC peer is working.
To connect to the Ireland server, I have an OpenVPN server in the public subnet which I connect the OpenVPN client on my client machine. Once connected, I can RDP to the Ireland server. All good.
I am trying to connect to the Sydney server from my client machine, using the route client --> Ireland --> VPC link --> Sydney.
I have pushed routes via my OpenVPN config which means, when I ping the Sydney server, it now goes via the VPN instead of my home router but times out after the first hop.
C:\Windows\system32>tracert -d 10.150.224.50
Tracing route to 10.150.224.50 over a maximum of 30 hops
1 26 ms 25 ms 25 ms 10.41.0.1
2 * * * Request timed out.
I am at a loss of what happens after that hop, there is also a possibility that I have some config missing in OpenVPN. Any help / guidance would be greatly appreciated!
Unfortunately you cannot do what you want in AWS.
This is an invalid configuration, as per AWS docs:
Edge to edge routing through a gateway or private connection
If either VPC in a peering relationship has one of the following connections, you cannot extend the peering relationship to that connection:
A VPN connection or an AWS Direct Connect connection to a corporate network
An internet connection through an internet gateway
An internet connection in a private subnet through a NAT device
A gateway VPC endpoint to an AWS service; for example, an endpoint to Amazon S3.
For example, if VPC A and VPC B are peered, and VPC A has any of these connections, then instances in VPC B cannot use the connection to access resources on the other side of the connection. Similarly, resources on the other side of a connection cannot use the connection to access VPC B.
You have two options:
Configure your OpenVPN server to do NATing instead of routing and therefore "hide" the real source IP of the connection
Create another VPN connection with another OpenVPN server in Sydney region
What is the best way to capture the monthly network bandwidth( ingress\ egress) or outbound and inbound public traffic. Do I select individual devices to get bandwidth used. Or do I select my vyatta device only as everything should pass through that for public traffic to and from internet?
Also- what options do I have to see what servers specifically are passing public traffic across the internet? Are there any dashboard tools \ API's available for this?
I'm trying to gather some statistic from our web applications. We're hosting our applications on Azure. It's usually Web App resource which is containing one or many web jobs.
For monitoring tools I'm using:
statsD.JustEat nuget package (C# client which is sending statistics using UDP)
telegraf - hosted on Ubuntu virtual machine, gathers data and each x seconds write them to influxDb. Is listening on 8125 port.
That's the overview:
overview diagram
The problem I'm having: when application is hosted as Web Job in Azure, I'm not able to send any UPD package to telegraf. I'm also not able to get any exception or any log telling me what happened.
I was trying to send some statistic:
for host (Public Ip of my virtual machine):8125 port
for host (Private Ip of my virtual machine):8125 port
With those scenario:
Console app - external network - public Ip -> works perfectly !
Web Job (connected to VNET) - public Ip -> doesn't work ! (that's most surprising)
Web Job (connected to VNET) - private Ip -> doesn't work !
Web Job (disconnected to VNET) - public Ip -> doesn't work !
Does Azure have some limitations ? The vnet has also Inbound an Outbound rules to free 8125 port (see overview).
Do you have any ideas why this should be failing or do you know any tools which I could use, just to investigate this more ?
Thanks for help !
I created tcp ip application and published it to cloud of Microsoft, but for now I don't know how to find the IP of my server.
Or in another words, how can I find the IP at which implemented role was deployed?
Depends on whether you are trying to get the public IP or the private IP of the server.
If you want to reach this server from outside of the Azure network, then you are looking for the public IP. In this case you must define an InputEndpoint for your role. You'll be required to specify a FQDN for your app. You can find the IP address of this FQDN using the usual methods like tracert, ping, etc.
If you want to reach this server from within the Azure network, typically you'd want some other role in your tenant to communicate with this server, then you'd need to define an InternalEndpoint for your server. You can then use the ServiceRuntime library to discover the private endpoint of your role instance.
Enabling Communication for Role Instances in Windows Azure is an excellent resource to get a better understanding of how this works.