Restrict access to bluemix app - ibm-cloud

I have node.js bluemix app. I don't want the bluemix app url to be publicly available. Is there a way to restrict access to bluemix app from certain IP addresses only ?
I know I can build authentication in the app itself but I am trying to avoid that.
Thanks in advance.

The Bluemix CloudFoundry platform can not restrict routes to a certain IP address. Like you said, all authentication has to be part of the application logic.
Check out the express-ipfilter npm module:
https://www.npmjs.com/package/express-ipfilter
Whitelisting certain IP addresses, while denying all other IPs:
// Init dependencies
var express = require('express')
, ipfilter = require('express-ipfilter')
, app = express.createServer()
;
// Whitelist the following IPs
var ips = ['127.0.0.1'];
// Create the server
app.use(ipfilter(ips, {mode: 'allow'}));
app.listen(3000);

As Ram mentioned you cannot restrict routes to a certain IP for a Bluemix app, but there is an alternative using IBM Containers.
You can deploy your node.js in an IBM Container (docker) and use the IBM VPN service to restrict access to your container instance to your company's VPN.
You can find more details on this service here:
https://console.ng.bluemix.net/docs/services/vpn/index.html

Related

How to limit access in Cloud Foundry

I am new to Cloud Foundry.
Is there any way that only specific users can view and update an app deployed in Cloud Foundry?
1.I deployed an app in Cloud Foundry using “cf push”command.
2.After entering “cf push “command I’ve got an message below.
Using manifest file /home/stevemar/node-hello-world/manifest.yml
enter Creating app node-hello-world-example...
name: node-hello-world-example
requested state: started
routes: {route-information}
last uploaded: Mon 14 Sep 13:46:54 UTC 2020
stack: cflinuxfs3
buildpacks: sdk-for-nodejs
type: web
instances: 1/1
memory usage: 256M
3.Using the {route-information} above,I can see the app deployed via browser entering below URL.
https://{route-information}
By this way ,anyone can see app from browser, but I don’t want that to be seen by everyone and limit access to specific user.
I heard that this global IP will be allocated to {route-information} by default.
Is there any way to limit access to only between specific users?
(For example,is there any function like “private registry” at Kubernetes in Cloud Foundry which is not open to public)
Since I am using Cloud Foundry in IBM Cloud it would be better if there is solution using IBM Cloud.
I’ve already granted cloud foundry role to the other user.
Thank you.
The CloudFoundry platform itself does not provide any access controls for applications. If you assign a public route to your application, where the DNS is publicly resolvable and the foundation is on the public Internet, like IBM Bluemix, then anyone can access your app.
There's a number of things you can do to limit access, but they do require some work on your part.
Use a private DNS. You can add any domain you want to Cloud Foundry, even ones that don't resolve. That means you could add my-cool-domain.local which does not resolve anywhere. You could then add a record to /etc/hosts for this domain or perhaps run DNS on your local network to resolve this DNS domain and direct traffic to the CloudFoundry.
With this setup, most people cannot access your application because the DNS domain for the route to your application does not resolve anywhere. It's important to understand that this isn't really security, but obscurity. It would stop most traffic from making it to your app, but if someone knew the domain, they could add their own /etc/hosts header or send fake Host headers to access your application.
This type of setup can work well if you have light security requirements like you just want to hide something while you work on it, or it can work well paired with other options below.
You can set up access controls in your application. Many application servers & frameworks can do things like restrict access by IP address or require user access (Basic auth is easy and it is OK, if you're only allowing HTTPS traffic to your app which you should always do anyway).
You can use OAuth2 to secure apps too. Again, many app servers & frameworks have support for this and make it relatively simple to secure your apps. If you don't have a corporate OAuth2 solution, there are public providers you can use. Exactly how you do OAuth2 in your app is beyond the scope of this question, but there's plenty of material out there on how to do this. Google information for your application language/framework of choice.
You could set up an access Gateway. This would be an application that's job is to proxy traffic to other applications on the foundation. The Gateway could be something like Nginx, Apache HTTPD, or Spring Cloud Gateway. The idea is that the gateway would be publicly accessible, and would almost certainly apply access controls/restrictions (see #2, many of these proxies have access control options that only take a few lines of config). Your actual applications would not be deployed publicly though. When you deploy your actual applications, they would only be on the internal Cloud Foundry domain.
CloudFoundry has local domains, often apps.internal (run cf domains to see if that shows up), which you can use to easily route traffic across the internal container-to-container network. Using this domain and the C2C network, you can have apps deployed to CF that are not accessible to the public Internet, except through your Gateway.
Again, how you configure this exactly is outside the scope of this question, but check out the docs I linked to for info on using the C2C network & internal routes. Then check out your proxy server of choice's documentation.

Cloudsql access from ai-platform job

Google has nice ways to connect to cloudsql from other google services but I cannot see how to connect from ai-platform jobs. As part of our training job, we need to update our cloudsql db with metrics but the only I could get it to work is by whitelisting all IPs (don't want that!) in the cloudsql and connecting via the public IP. I don't see an option to add cloud-sql-proxy to the trainer instance. Since the IP of the trainer instance is dynamic, we cannot reliably add specific IP address to whitelist. Any other ways to handle this?
It looks like AI Platform supports VPC peering, so you should be able to connect to Cloud SQL using private IP.
Since Cloud SQL also uses VPC peering, you'll likely need to do the following to get the resources to connect:
Create a VPC to share (or use the "default" VPC)
Follow the steps here to setup VPC peering for AI Platform in your VPC.
Follow the steps here to setup a private IP for your instance in your VPC.
Since the resources are technically in different networks, you may need to export custom routes (Step #2) to allow the AI platform access to your Cloud SQL instance.
Alternatively to using private IP, you could keep using public IP w/ an IP allowlist coupled with Authorizing with SSL/TLS certificates. This still isn't as secure as using the proxy or private IP (as users are technically able to connect to your instance), but they'll be unable to interact with the database engine without the correct certificates.
Can you publish a PubSub message from within your training job and have it trigger a cloud function that connects to the database? AI Platform training seems to have IAM restrictions that I too am curious how to control.

MongoDB Atlas - Configure IP Whitelist when hosting on AWS S3 and Cloudfront

How do I set the IP address Whitelist for a MongoDB Stitch application (MongoDB Atlas back-end) when the site is hosted on AWS S3 (using cloudfront)?
The site is currently working though I have never set an IP address.
I just don't want it to lose access at some point because I have failed to set the correct IP address whitelist. Perhaps it is not necessary because the cluster is already on AWS?
Thank you!
The IP Whitelist specifies IPs that the Atlas cluster will accept client requests from. Examples of clients include MongoDB Compass, the Mongo shell, and Stitch. In this case, your app only connects to Atlas indirectly through Stitch. Stitch automatically adds its own whitelist entries for itself as client.
Stitch does not restrict any cross-domain requests unless you specify Allowed Origins in the Stitch settings. Otherwise, no apps using the client SDKs would work without explicit whitelisting!
This is the control panel where you could set Allowed Origins, if you only want to be able to connect to Stitch from some specific domains:
In short, you do not need to configure the IP Whitelist to allow your site to communicate with Stitch. Everything should keep working!

What IP ranges to allow through firewall for IBM Watson API Gateway?

We are running an internal application which needs to connect to IBM Watson. Our Firewall team is looking for the IP Ranges we should allow for communication with Bluemix.
Name Geoortung Kunde Bereitstellung Domäne CF-API-Endpunkt Typ
eu-de Germany IBM Production eu-de.bluemix.net https://api.eu-de.bluemix.net public
I found a very useful webpage, but there is no information regarding the API Gateway in Frankfurt.
https://knowledgelayer.softlayer.com/faq/what-ip-ranges-do-i-allow-through-firewall
Can you help?
The Watson APIs hosts depend on where your service was instantiated.
us-south: https://gateway.watsonplatform.net,
eu-de. https://gateway-fra.watsonplatform.net
You only need to enable requests to the host where you Watson service instance is running. Make sure you use the URL and not the IP because it may change.

Create private instance on Cloud Foundry

I'm currently deploying on cloud foundry, Now I have a frontend server and a backend server.
Both deployed as micro services with the Cloud Foundry nodejs build pack.
I would like to hide the backend server from the outside world, that only my frontend server can access it. How do I do that?
If I remove the route to the backend server the server is hidden from the outside but then I do not know how to access it from my frontend.
I'm new to Cloud Foundry maybe there is an easy way.
Thanks
Andreas
Thanks for the information so far.
I do however not understand how I could now hide my backend instance from being accessed from the outside, but allow for access of the frontrontend?
Basically what roule would I need to set in my space in order to allow only port 80 to be accessed of my frontend instance (lets say the frontend ip is 168.192.0.5).
could you make an example?
If you are using OSS Cloud Foundry, you can put the backend services into their own space, and then set the security group rules for that space so that they will not respond to outside IP addresses:
https://docs.pivotal.io/pivotalcf/adminguide/app-sec-groups.html
If you are using Pivotal Cloud Foundry, you can use Spring Cloud Service Discovery, as Amit said.
What about using "cf push myjavaapp --no-route"?
The no-route option tell Bluemix that your backend is not a web application.
Another solution to hide the back-end microservice from the public is to use containers (also available on Bluemix, based on Docker, see https://www.ng.bluemix.net/docs/containers/container_gettingstarted.html). Containers have a private IP by default and can access other containers in the same space. You can assign the front-end microservice a public IP using e.g. following command
cf ic ip bind {public_ip} {container_name}
but don't assign a public address to your back-end microservices.
(A few weeks ago I've created a simple example for a microservice in a container, you can find the code at
https://hub.jazz.net/project/matthiashub/bluemix-unistuttgart-container/overview I admit that this was done in Java and not in nodejs but I think you get the idea.)