I'd like to know given a Powershell function such as:
$url = "http://AnIPrestrictedURL"
[xml]$xml = (new-object System.Net.WebClient).DownloadString($url)
with $url being an IP restricted url what are my options (if any) to be able to make this work? Is VPN an option or some other method? Would Express route (obv cost not being a factor) or point to site VPN work for this??
EDIT: To make this clearer? I have control of the IPRestrictedUrl server so in theory I could allow access to this via VPN / express route presumably without the IP restriction?? this is the point of the question?
Perhaps I should have said "how can I use an Azure Function with a service I do not want to be publicly accessible" If it matters the end service is SOLR
While the list of Outbound IPs is provided for Azure Web App (and is stable), the equivalent does not exist for Azure Function Apps. The reason is that they get scaled out very dynamically, and can end up running across many scale units, each with a different set of Outbound IPs.
So generally, you cannot make assumptions on Outbound IPs when using Azure Functions.
Related
We have an existing solution where there is an Eventhub ingests real time event data from a source. We are using a SAS key for authentication and authorization. For additional security we have whitelisted the IPs of the source on the Eventhub. We also have a databricks instance within a VNET reading from this eventhub. The VNET has been whitelisted on the Eventhub as well.
We now have a new requirement to read off the Eventhub using Azure functions. The problem is since we have enabled IP whitelisting on the Eventhub, we need to whitelist the IPs of the functions as well and we can't figure out which Inbound IPs to whitelist on the Eventhub.
The documentation says that the inbound IPs remain mostly the same but can change for Consumption plan which is what we intend to use.
Does that mean the only other solution is that we need to whitelist the entire Azure region where our functions are hosted using the list in the link Azure service IPs?
Any other suggestions what we can try?
Does that mean the only other solution is that we need to whitelist
the entire Azure region where our functions are hosted? Any other
suggestions what we can try?
Yes, if you don't know the outbound ip address of azure function app, please add the ip region to the whitelist. You could get those here.
More realistic option: You can put your function app in a azure VNET and let the VNET to access the Event Hub. However, this requires a AppService Plan or Premium Consumption Plan Function.
Hi does anyone know what I can use to whitelist IBM Cloud function locations? I wrote a function that makes rest-api calls to a server but the server needs to whitelist incoming requests. Eg. If I select "US South" as the location for my IBM Cloud function, then what ip/domain/hostname etc does that appear as so I can whitelist it?
Thank you.
I recommend to have a look at IBM Cloud's Statica service which allows you to access restricted resources behind firewalls and whitelisted services using a static IP regardless of where your app is running or the number of instances.
https://console.bluemix.net/catalog/services/statica
Does this help?
What are the public facing IP addresses, when app maker calls an external service with urlfetch?
My external service insists on white-listing these. Is there a public list available from google?
Within App Maker, I want to use the UrlFetch to call an external service, very much like the App maker sample.
I see there is a list of Apps Script's IP address ranges for the JDBC. Would this be the same ranges?
(https://developers.google.com/apps-script/guides/jdbc#accessing)
Thanks in advance,
John
Since App Maker uses Apps Script's URL Fetch service, you need to look at their doc to answer this question. From what I can tell from:
https://developers.google.com/apps-script/reference/url-fetch/url-fetch-app
You need to go here:
https://cloud.google.com/appengine/kb/#static-ip
And then follow these instructions. Since Stack Overflow has an issue with simply posting links (although I really recommend you go to the link :), I'll summarize the instructions here:
nslookup -q=TXT _cloud-netblocks.googleusercontent.com 8.8.8.8
And then nslookup each "include" in the response. This gives you all the IPs currently in use.
Edit: It looks like this might be the same IPs Google uses for it's general URL fetch service, which could mean that if you're whitelisting for these IPs you may also whitelist for all App Engine applications, and probably even more. Obviously you'd be whitelisting for all Apps Script and App Maker applications, so I assume this doesn't matter, but I just wanted to mention it. If your service is trying to rely on this for security reasons then, obviously, it's not adequate.
I had the same issue,
may be you can try the "useIntranet" option which may reduce the ipaddress range within your websites/webapps current network
https://developers.google.com/apps-script/reference/url-fetch/url-fetch-app
eg:
var response = UrlFetchApp.fetch("https://Url.com",{
'method' : 'post',
'payload' :{
'useIntranet':true,
'key':"value"
}
}
);
I was using Amazon before and there is a possibility that you can create domains like this: database.mydomain.com
Then if you ping this url from outside the server, you get the external IP, and if you ping if from an instance in the network, you get the internal IP.
How is this possible and is there a way to implement the same thing in Google Cloud? Is it about the router?
I don't know the terms for this usage. Sorry if the title is not very clear.
In my example, I want to build an application that sends users who join a network some kind of interface and manage this at a central station (possibly the router, or a central server). The new user's input to this interface will be sent back to the central station and controlled.
How plausible is this? Is sending something to a newly discovered IP realistic?
As long as you control the DNS server, you can send them to any web server you like.
Completely plausible, but you'll need a router with open source firmware and you'll need to program in the language of that source code and have the toolchain to build the binary for the firmware.
The only thing I can think of is NoCatAuth and friends. The user has to use their web browser, but most are accustomed to that.
Are you trying to FORCE the users to use your application (e.g. by selling these routers via an ISP), or are you expecting users to co-operate (e.g. inside a organisation's WAN)?
If the latter, it may be sufficient to set the DHCP server inside the router to serve the address of an HTTP proxy. That will get picked up by most OS/browsers. The proxy can then be used to control web-traffic - which pages they can see, and which ones are redirected to your own web-app.
If the user is considered an adversary, it would be trivial for them to override the proxy settings. In a LAN/WAN situation, you need to make sure nothing is connecting them to the outside world, except through the proxy.