I am trying to integrate APIM(External) to the VNet where AKS is running. right now, I have created /29 CIDR subnet where AKS subnet is there and assigned to the APIM but APIM keep complaining that port 3443 is blocked. I have specifically added the rule to allow 3443 as mentioned in the troubleshooting steps https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet#-common-network-configuration-issues to NSG assigned to the subnet, but still it throws the error? can someone help me how to troubleshoot further?
NSG Rule for subnet -> Inbound
> priority- 102, Name - Port_3443, port - 3443, protocol - TCP, Source -
> ApiManagement, Destination - VirtualNetwork, Action - Allow
Update:
I have removed NSG from the subnet where APIM is, still its showing the same issue
From the document, you need to deploy the APIM instance in a dedicated subnet that does not contains other resources.
When deploying an Azure API Management instance to a Resource Manager
VNET, the service must be in a dedicated subnet that contains no other
resources except for Azure API Management instances. If an attempt is
made to deploy an Azure API Management instance to a Resource Manager
VNET subnet that contains other resources, the deployment will fail.
You could deploy an AKS in a different subnet in that VNet that APIM instance exists. If there is no NSG assigned, it means wide open to or from that VNet.
You can get more references at https://blog.baeke.info/2019/06/10/azure-api-management-and-azure-kubernetes-service/
Related
I am learning how to create an APIM instance using Powershell using the steps give here. https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway
Here at one point they talk about creating a API Management virtual network object.
What exactly is API Management virtual network object ?
AFAIK,
Within the Network, to access backend services - Azure APIM Instance should be deployed in an Azure Virtual Network.
So, you would be creating the Virtual Network, subnets in that created VNet, NSGs, NSG rules for the Application Gateway, etc.
When you attach the above details (VNet, SubNet Data) in an object to the APIM Instance/Service, it can be known as APIM Virtual Network Object.
I have a Python application which has been deployed to openshift.
I am using an external REST service in my application. In order to use this service, the developers of the REST service have to whitelist my IP because a Firewall blocks unauthorized IP addresses.
How can I find the external IP of my application? How can I find it in openshift? I tried a few OC commands, but I am not sure if I have to get the IP of the pod or the service.
Out of the box the traffic from internal cluster components will appear to external infrastructure like they are coming from whichever OpenShift compute host their pods are currently scheduled on.
Information on internal cluster networking and how traffic traverses from a process running inside a pod to the external network can be found at SDN: Packet Flow.
In your case you could have the external application whitelist all of the ip addresses of the compute hosts that are expected to run your application pods.
Alternately you could set up an EgressIP. This will cause all traffic originating from a specific OpenShift project to appear as if it is originating from a single ip address. You could then have your external application whitelist the EgressIP address.
Documentation for configuring EgressIP can be found in the official documentation under Enabling Static IPs for External Project Traffic
What you are searching for is the external IP of the Service. A Service acts as a load balancer for your pods but by default it only has a cluster-wide IP address. If you need a URL to access it from the outside, you can create a Route. For your purpose where you need an actual external IP address, you can assign the Service an external IP manually. Information on how to do this can be found in the official OpenShift Docs.
I am running Kubernetes in GCP and I have the GKE cluster and the container registry in separate projects. I added the GKE service account to my GCR project and everything works great.
Now, I would like to restrict any outgoing traffic from my GKE project at the compute level. I have added an egress firewall rule to drop any traffic going out of my VPC network. As a consequence, GKE can't pull images from the registry anymore. I added another firewall rule to allow egress traffic for the GKE service account, but to get it to work I had to add "0.0.0.0/0 all ports" as destination filter. Is there a better way to do this? Is there an IP address range / port for GCR?
Thanks!
GCR does not have a dedicated IP address range.
I am unaware of a way to restrict traffic only for GCR.
Sorry.
There is actually a way to do it.
Create a VPC network and enable the Private Google Access. As you can read in the documentation:
Accessible Services
Google services that you can reach using Private Google access include:
Container registry services, a private Docker image repository on Google Cloud Platform
Then don't allow any connection in the firewall, and it will be blocked by default. With this you will get a GKE cluster that isn't reachable but it will be able to pull images in the GCR.
little old but you can use a GKE private cluster: https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters
I found for some reason gcr.io resolves to aws fqdn, so private google access does not work. In my case the cluster is private, so I had to add a cloud nat and allow 443 out. I was able to pull after the firewall rule was created.
I have Google Cloud project consisting of a compute engine instance which I want to configure as a push subscriber of Cloud Pub/Sub service. I have setup an apache webserver with a self-signed certificate on the instance and have also made a DNS entry (abc.mydomain.com) which points to the instance which has a static IP address. I am already a verified owner of the domain (mydomain.com) on webmasters.
Whenever I add the subscription from the Cloud console, it fails with the error: "The subscription could not be added" and does not show any other useful information.
Please help.
Self-signed certificates are not supported.
There are few options for you:
Pay for the certificate
Use App Engine as a proxy
Use pull subscriptions
Use App Engine Managed VM
The last one is basically a Compute Engine instance, but you will get free https connection via a subdomain of appspot.com.
i need to know if the following scenario is possible using Google Cloud:
I need to have a IPSec VPN with a partner, the thing is that at their side they will allow only one of my hosts access their network, at their side they configure a ACL as follows: network-object host X.X.X.4.
So, is a must that in the negotiation of phase 2, Google Cloud send as local address the ip number allowed by their X.X.X.4, and not the network X.X.X.0/something, if that happens phase 2 will crash.
Is possible to configure the VPN using this requirement?
Regards,
Will.
You could try creating a /30 network in your project and hosts the VM that you would like to interact with the partner and setup the VPN tunnel
If you have another network, where other VM/Apps exists, setup a cross-vpn between the VPN tunnels in your project, just that they are in different network within the same project.