I have just created cloud storage on google for mysql database.
I have added local IP address and server's IP address in authorization (under access control).
It's getting connected in mysql work bench in my local machine. But, it's not connecting with the website which is running on windows azure platform.
Which IP address am I supposed to use in access control?
Website is in basic package of azure.
This is a relatively non-trivial thing to achieve as the GCP services need to know about the public source IP of the Azure service. Azure's IP surface is pretty wide so you'd be unlikely to successfully connect the two. You'll be unlikely to be able use just a single source IP address.
You may be better off looking at a VPN connection out of an Azure VNet to your GCP environment.
To be honest, trying to build any form of performant web experience that hosts the web and data tiers in different public clouds is going to be extremely challenging.
Actually I resolved this issue by opening ticket in azure support.
They have outbound IP addresses range available online. We need to provide those IP addresses to third party access control.
I am sharing you that link here.
https://social.msdn.microsoft.com/Forums/azure/en-US/fd53afb7-14b8-41ca-bfcb-305bdeea413e/maintenance-notice-upcoming-changes-to-increase-capacity-for-outbound-network-calls?forum=windowsazurewebsitespreview
Choose those IP addresses which are associated with your website.
Related
We currently have a Public API to be used by our Business' current and future clients. Due to flexibility purposes and capability for our client's systems to interface with ours, we currently have our MySQL Database IP and Port on Wild Card access so as to not encounter any restricted access issues.
Question is, due to security concerns, would it be possible to restrict the MySQL Database's Server IP and Port to not be accessed directly by third party clients but only via the Public API? My instinct says no, but I don't have much experience in the way of Public APIs nor Public Access.
When an API User sends a query on our database, does it identify it via the API Host's IP (our servers?), or via the Client Computer's IP?
Thanks!
It's considered a bad security risk to expose MySQL's port directly to external clients. MySQL supports TLS but doesn't enforce it by default. So you're at risk of unauthorized clients invading.
For this reason, it's much safer and more recommended to run your own API server, as you mentioned. The API server is the only one allowed to connect to MySQL. Typically network routing is configured to prevent any contact to the database server except from the API server.
MySQL would therefore know nothing about the client's IP address. As far as MySQL is concerned, your API server is the only IP address it knows about.
The client IP address would be known by your API server and http server, and if you have load balancers or firewalls, those too.
The "users" associated with your third-party clients aren't necessarily mapped to distinct users in the MySQL authentication system. Actually, it's more typical that the API server uses a single MySQL user to authenticate all clients. Once connected to the database, your code would look up the client's "user" as a further authentication step. In other words, you would store a table in your own database with user credentials, and you would implement code to check passwords and so on. This is distinct from MySQL's own authentication system.
Alternatively, you could write your API service to use SAML or Oauth2 or equivalent federated authentication. The API service would still need to authenticate to MySQL, but the client's identity would be provided by the Oauth2 authentication.
I am using a LAMP Stack hosting everything in AWS.
For my production servers, I have the DB Server sitting behind the webserver, and not accessible to the internet.
For my development instance, I have it setup similarly, in the same VPC, with a public/private subnet, and a route enabled via IP addresses to access it from outside AWS. This way, I can connect SQL Developer on my local computer and code/develop on my local computer while having access to my dev database.
However, I am now in the process of hiring several interns, and I don't think adding their individual IP addresses to allow them connectivity is the best approach. Especially since some of them may be coming from college campuses and IP addresses are not static.
After some searching around, I can't seem to find the best approach to setup AWS to enable a dev environment and a group of folks access to the DB from their local machines.
Should I setup a VPN?
Should I continue to use the IP address method?
Am I missing something?
I can't imagine I'm the only one in this boat.
Thanks in advance.
There are already many questions about how to connect to an external MySQL database but they all focus on how to open a remote connection, which is simply fixed by enabling billing.
However none if these questions address how to open an exception in your MySQL database so that the GCP App engine can connect to it. Normally a static IP would do, except it seems static IPs are for Compute Instances VM.
It seems like the previous solution was using "Google Secure Data Connector", but it's been decommissioned.
I found something else on Google Cloud documentation that says:
Your App Engine app connects over the Internet using that external
service's public IP address.
However there is no further information and I have no idea if that address is static or ephemeral, but this documentation page seems to say the address will never be static and can not be assigned a static IP:
App Engine does not currently provide a way to map static IP addresses
to an application.
Has anyone ever succeeded? How did you set your exception on the external, non-GCP MySQL server?
AppEngine can connect to internet but with a pool of IP address. You can't define one and use always the same. If your Database has to authorize only one IP it's not yet supported.
However, you could cheat by plugging a serverless VPC Connector to your AppEngine and using a VM as proxy but the solution is ugly and I don't guaranty good response time, which is critical for a database...
I'm trying to move my dynamic website and database from my own VM's to the Google cloud. For the DB, I'm using the Google Cloud SQL, and for the website I made a host under compute.
The problem is, I can't seem to connect to the DB from the VM using an internal IP address. Somehow my Cloud SQL DB only has an external IP address.
I also have phpMyAdmin running on a compute VM, this machine can also only connect to the external ip address (this works, but I'm guessing is not very secure)
What am I doing wrong? Must I use the app engine instead for my website? I've done the training exercise but, to be honest, I have no clue what I was doing.
CloudSQL does not currently support private networks. You either need to connect via external IP or use CloudSQL proxy.
In order to increase security make sure to connect via SSL when using external IP.
i need to know if the following scenario is possible using Google Cloud:
I need to have a IPSec VPN with a partner, the thing is that at their side they will allow only one of my hosts access their network, at their side they configure a ACL as follows: network-object host X.X.X.4.
So, is a must that in the negotiation of phase 2, Google Cloud send as local address the ip number allowed by their X.X.X.4, and not the network X.X.X.0/something, if that happens phase 2 will crash.
Is possible to configure the VPN using this requirement?
Regards,
Will.
You could try creating a /30 network in your project and hosts the VM that you would like to interact with the partner and setup the VPN tunnel
If you have another network, where other VM/Apps exists, setup a cross-vpn between the VPN tunnels in your project, just that they are in different network within the same project.