Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
Improve this question
My current setup involves an EKS Cluster with multiple namespaces (multi-tenant) across many different EKS nodes in private subnets. I would like the egress traffic from the pods to have a dedicated EIP per namespace. AFAIK there are no off the shelf solutions available for this problem. I have searched long and hard on the internet but in vain. Here are some of the solutions that I have tired, but eventually hit a roadblock
Istio Egress Gateway
Allows you to direct all outbound traffic from pods via a dedicated egress gateway pod. But the egress gateway pod will assume the ip of the node on which it is running, which will not work for my use case. Also i have not found decent documentation around how i can setup multiple egress gateway pods across multiple nodes.
Calico Egress Gateway
Very similar to Istio Egress Gateway solution and the same constraint applies
Custom Solution
I have started implementing a custom solution, where I setup multiple Gateway Nodes in public subnet each with a dedicated EIP. I can now modify the ip routes/gateways in the private EKS node, to route traffic via a specific gateway node based on the pod source ip. This solution feels very kludgy and the operational overhead of such a solution is very high
I have looked at solutions like https://github.com/nirmata/kube-static-egress-ip, but have not had any luck with them
Is there a better approach/solution to this problem?
p.s: My production cluster is extremely large, I cannot afford to stand up a cluster for each namespace.
I thought that Calico Enterprise would solve for this specific use case by assigning an IP to the namespace. From this blog: "[Egress Gateway] defines a static egress IP for SNAT on traffic leaving the cluster and applies it to a specific namespace. Then it designates one pod in a namespace as the egress pod and assigns a routable IP which is used specifically for egress traffic leaving the cluster."
Do you mind also +1 this feature request? https://github.com/aws/containers-roadmap/issues/1319
Related
Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed last month.
Improve this question
I've registered my domain at Namecheap (example.com), bought ssl from ssls.com, serving content from AWS S3 using AWS CloudFront. Imported the certificate to AWS Certificate Manager. All of the above correctly redirects to https://www.cashflowbux.com :
cashflowbux.com
www.cashflowbux.com
http://cashflowbux.com
http://www.cashflowbux.com
The issue is when I type https://cashflowbux.com , it throws ERR_CONNECTION_TIMED_OUT . Can anyone suggest how to fix it please?
Namecheap replied saying
If you wish to make it redirect via HTTPS, it is required to point
your bare/root domain to hosting directly and install an SSL
certificate there. It is not possible to install it on our BasicDNS
nameservers.
In the same way that you had to create a record on your DNS zone "www.cashflowbux.com" record as CNAME type to "d9cmuu1x2w6f7.cloudfront.net", you must create a CNAME "cashflowbux.com" record to "d9cmuu1x2w6f7.cloudfront.net": your DNS provider must supports CNAME records on a root domain using techniques such as CNAME flattening for this.
If is not possible for it, you probably need to migrate your DNS zone to Route53 which supports this feature well.
Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 months ago.
Improve this question
Currently I have a system where I have installed HAProxy on one machine and my other 3 machines serves the webapps and the fourth machine for the database. Now I need to add another load balancer in my system so that any one of the load balancer could pick the request and process it.
But I don't understand how exactly are we going to configure a second load balancer if my domain say example.com is pointing to the IP address which is the load balancer currently. When I add a second load balancer
Will there be any third machine where something needs to be installed so that it can redirect the request to one of my load balancer? Again if this is so, it again is a single point of failure and creates a bottle neck.
If at all I am going to have 2 machines running load balancers then how exactly is the request going to come in because both machines will anyway have different IP.
This sort of thing is generally achieved by either putting both load balancers in DNS ("round-robin DNS") so a lookup for app.example.com might resolve to either lb1.example.com or lb2.example.com, or by having an anycast IP address that can route to any individual load balancer (where the one chosen depends on the network topology between a client and the load balancer).
AWS
I am using network load balancer infront of private VPC in the API gateway. Basically for APIs in the gateway the endpoint is network load balancer's DNS name.
The issue is, performance sucks (+5 seconds).. If I use the IP address of the EC2 instead of NLB DNS the response is very good (less than 100ms).
Can somebody point me what is the issue? Any configuration screw up I did while creating NLB?
I have been researching for the past 2 days and couldn't find any solution.
Appreciate your response.
I had a similar issue that was due to failing health checks. When all health checks fails, the targets are tried randomly (typically target in each AZ), however, at that stage I had only configured an EC2 in one of the AZs. The solution was to fix the health checks. They require the SecurityGroup (on the EC2 instances) to allow the entire VPC CIDR range (or at least the port the health checks are using).
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
The community reviewed whether to reopen this question 8 months ago and left it closed:
Original close reason(s) were not resolved
Improve this question
I am using coTurn as my turn server in my application.
what is the minimum configuration to do to make my Turn server work behind NAT?
what are all ports I have to open for it to work behind NAT?
As I have read coturn comes with inbuilt STUN so can I use STUN address in my application instead of default google STUN mentioned here https://github.com/coturn/coturn/wiki/CoturnConfig
if so what should be my configuration there to be modified in the javascript object in RTCPeerConnection
I'm assuming work behind NAT refers to the TURN server, and not to the application.
In this case, you can refer to the external-ip parameter in coturn configuration:
TURN Server public/private address mapping, if the server is behind NAT. In that situation, if a -X is used in form "-X " then that ip will be reported as relay IP address of all allocations.
This works for example in NAT scenarios like AWS of GCP, where there's a 1:1 mapping between a private IP address, where coturn can listen on, and an ephemeral public IP address.
Your application can just be configured to use coturn in the ice settings as if coturn was listening directly on the public IP.
e.g.:
listening-ip=172.10.1.1
external-ip=3.3.3.3/172.10.1.1
Furthermore, coturn will respond to Allocate requests with relay transport addresses with the public IP in the XOR-RELAYED-ADDRESS of the Allocate Success response.
The port will be the same as the one allocated on the private interface. So for example if the relay is allocated on 172.10.1.1:40032, the XOR-RELAYED-ADDRESS will contain 3.3.3.3:40032.
Needless to say, whatever port range is configured in coturn's configuration needs to be reachable from the applications. For example if min-port is 40000 and max-port is 50000, there must be a Security Group for that EC2 instance which allows accessing to UDP 40000-50000.
By default coturn acts also as a STUN server (even fully RFC-5780 compatible if listening on more than one IP address).
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
I think this should be standard for everybody to do anyway, but maybe I'm missing something.
I want to block access to my site through every port/method/protocol except a select few methods:
This includes blocking use of the IP address rather than the domain name. So visits to 123.55.123.66 and ssh://123.55.123.66 will always fail.
Also, blocking all FTP access
These only will be allowed:
(1) http://domain.com
(2) https://domain.com
(3) ssh://ssh-access.domain.com
So SSH is only available at this subdomain, so people can't hit SSH from the IP or the same domain that is publicly available.
Also, http://ssh-access.domain.com would fail.
No access to FTP, Telnet anything.
Is this a good idea?
Because I can't even think of all the different ports/protcols available, I think it's best to block all except the above listed (rather than block all FTP, SSH etc.).
Also, if anyone has any pointers as to how I would code this, that would be great. I'm guessing it's best to do it in Apache (or Ubuntu).
You cannot "visit" ssh://123.55.123.66 in the proper sense (i.e. with a web browser) and, although some file browsers offer this extension, Apache is not involved in the connection (instead, the SSH daemon is). Moreover, SSH daemon has no notion of "(sub)domain".
That said, you can configure SSH daemon to listen only on the "remote access" IP address (bind it to that address).
For the website, you can adapt the appropriate Mod-Security rules to deny access to people/bots trying to access the website by IP address, rather than by web address.