I need to whitelist the third-party system to consume mule 4 api. The have peculiar behavior of having dynamic IP address so suggested to whitelist with DNS name (abc.com).
how can this be achieved ?
DLB whitelisting only support IP ranges specified in CIDR format. You could create an application that queries regularly the IP for that DNS address and updates the whitelist using CloudHub's REST API or executing Anypoint CLI.
Related
I have published an ASP.NET core Web API on IIS. The website is hosted on a Windows Server 2019 dedicated server with a number of IP addresses. In Plesk I have set the IP address which I want the website to be bound to (let's assume is it 10.1.1.1). When I ping the domain name I see the correct IP address.
In one of the API's endpoints, there is an HTTP Request made to an external API which has access restriction to pre-defined IP addresses. If a request is made to this external API from an unknown IP it returns an error with that IP address.
Our website's IP address is set properly at the external API. However, when our API tries to connect to the external API from code it doesn't use the website's correct IP Address. It uses the first available IP address on the server. Therefore, the connection to the external API is refused.
My question is, why the HTTP Request is not made from the same IP address as the website and what can I do to make things right?
When we bind sites to IIS, you are only binding the incoming IP address. Traditionally we would want to control and sanitize all outbound requests, it there are multiple NICs configured, the outbound traffic would be routed through the NIC that is configured with the gateway, or the NIC that is on the same subnet as the target.
If your server has multiple IP addresses defined in the same NIC, the outbound IP address from IIS hosted content is selected for you. I'm not sure if it is a round robin but I can tell you it is not in any way related to the incoming IP address that your site is bound to.
Outbound traffic is NOT associated with IIS at all, outbound traffic from IIS follows the normal pathway and rules as outbound connections from all processes on your PC/server.
The general standard to avoid this issue in IIS is to use SSL and Host Header Names. That way you can host multiple sites on the same IP address, or realy you are inbound address agnostic meaning your configuration can be easily ported to other hosts without having to mess around with multiple physical or virtual IP addresses.
Following this advice from Forcing Windows Server to Use a Specific Outgoing IP Address, you can use powershell to exclude specific IP addresses from being used as the external source.
Assuming the IP address you want to be primary is 192.168.33.129.
$primaryIP = "192.168.0.4"
Set-NetIPAddress -IPAddress $primaryIP -SkipAsSource $false
Get-NetAdapter | Get-NetIPAddress | ? { $_.IPAddress -ne $primaryIP } | % {
Set-NetIPAddress -IPAddress $_.IPAddress -SkipAsSource $true
}
Now all IP addresses, except the one you are designating as "primary," will be excluded from consideration as primary. We can verify this using...
Get-NetAdapter | Get-NetIPAddress | Select-Object IPAddress,SkipAsSource
It must also be said that communications outside of your IIS host can be routed via VPNs and Firewalls, even if you manage to fix the internal IIS server outbound IP address, the external site will still register your network's external IP address, not the internal 192.168.0.4 on the NIC.
Most enterprise firewalls will have the ability to configure Source NAT (SNAT) rules or policies, sometimes referred to as Multipath Routing, that will allow you to bypass or negate any configuration on the IIS NIC as described above.
Is there any way to setup a static inbound IP for azure IoT hub? I'm not much experienced with networking. My client have a firewall, it is IP based. They need to set IP whitelisting. What should be the best way to achieve this?
The IP address prefixes of IoT hub are subject to change. These
changes are published periodically via service tags before taking
effect. It is therefore important that you develop processes to
regularly retrieve and use the latest service tags. This process can
be automated via the service tags discovery API. Note that Service
tags discovery API is still in preview and in some cases may not
produce the full list of tags and IP addresses. Until discovery API is
generally available, consider using the service tags in downloadable
JSON format.
IoT Hub IP addresses
In addition to the above, You can use IP filter to receive traffic only from a specified range of IP addresses and reject everything else.
By default, the IP Filter grid in the portal for an IoT hub is empty. This default setting means that your hub blocks connections from all IP addresses. This default setting is equivalent to a rule that blocks the 0.0.0.0/0 IP address range.
You can follow the documentation Use IP filters for more details.
I am developing a .Net Core REST API for an Android app which is written in Dart/Flutter, both .Net Core and android app are connected to the same local network, right now I am sending requests to server by using it's IP address, however I want to make it easy for end users to use the app since they have limited knowledge of configuring stuff.
How can I link a local domain to the server or at least use server name instead of ip address for sending requests, in that case it would have saved me a lot of time and hassle with end users.
Do I need a DNS server for this and is it easy to implement this functionality?
According to your description, you should set up a DNS server in your local network. If you want to access the app by using domain, you should make sure the android app is also inside that local network.
A DNS server is a computer server that contains a database of public IP addresses and their associated hostnames, and in most cases serves to resolve, or translate, those names to IP addresses as requested.
More details about how to set up a DNS server and configure a DNS server , you could refer to below article: https://support.microsoft.com/en-us/help/814591/how-to-install-and-configure-dns-server-in-windows-server-2003
Our product has software-managed virtual networks and has multiple local IP addresses from which network communications could be routed. One of the requirements we have is to ensure that outgoing traffic is routed from a specific, desired local IP when communicating with the Azure blob storage endpoint.
The Azure SDK does not seem to expose any means of specifying which local IP address to use for communications to the Azure blob endpoint. Please let us know if you think the SDK does expose and if so how we can utilize the facility.
If not, we are evaluating making changes to the azure-storage-java SDK source in order to support the local IP binding requirement.
Has this kind of situation been brought to your attention before? Do you have any suggestions as to how this might be accomplished?
Thanks,
Sowmya.
Currently I have two websites running on single Amazon EC2 and using Apache web server. Configuring Apache to use virtual host and use a single IP address was simple . But I think Amazon gives you up to 5 IP addresses and would like attach two IP addresses to a single EC2 instance and use those IP addresses for each site.
How do I configure the server that Website A uses one of the IP address for incoming and outgoing data?
Unfortunately, you can only map 1 elastic IP per instance. Its a nasty limitation, because I would love to setup multiple sites using SSL with default port of 443 but I cannot. I usually just use other ports if I have to, but that is not best practice.
The associated elastic IP to the one instance is free. You can set that up in the management console or through the API. Your server should come with its own internal IP address, and the elastic IP gets translated to that.
There are things that you can do with AWS load balancing, which allow you to use multiple ssl sites to one instance.
You can now do this if you run your instance in a VPC.
You can create multiple ENIs (Elastic Network Interfaces) and associate any number of them with a single instance.
The announcement for this feature is at http://aws.typepad.com/aws/2012/07/multiple-ip-addresses-for-ec2-instances-in-a-virtual-private-cloud.html