So this is the case:
What we have:
We have a Service (webApp) in kubernetes API + Vue.js frontend hosted in AWS.
And we also have some Services (webApp) in Kubernetes API + React.js frontend hosted in GCP.
We are able to use same domain subdomains for each (like: a.domain.com and b.domain.com).
What we need:
We need to let the user think this 2 servers are only one.
The idea is that the user uses the same Username/password for both servers, but
the most immportant part is that he only needs to log in to one of this to be logged in the other automaticaly.
We have the parent domain in Google, and we prefer a solution that is implemented in GCP and the AWS server should just consume this auth method/config/etc.
Love to hear some ideas
If you have multiple replicas of the webApp frontend distributed in multi-cloud environments, you can use dynamic DNS and load balancing services like Cloudflare provides to distribute the access to your app frontend as explained here.
Then you need connect the multi-cloud VPCs and make accessible your backend to your multiple frontends.
You can use managed VPN services from both cloud providers to have an encrypted channel between VPCs in both cloud environments and to transfer data by using private IP addresses.
Google offers Cloud VPN as a managed VPN service for encrypted IPsec tunnels, which can be used on the Google end. AWS offers AWS Site-to-Site VPN and Azure offers Azure VPN gateway. You can connect your VPCs between the environments by using one or multiple VPN tunnels.
With that you can operate your webApp on multi cloud.
Related
I'm using Azure API Management.
Since APIM does not provide built in WAF, i'd like to use app gateway in front of APIM.
According to the following article, it is possible.
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway
But some of my APIM are Not integrated with VNet or integrated VNet as external.
And i'd like to integrate those APIM with app gateway as well.
So is this possible scenario or Do i need to migrate existing APIMs to internal VNet?
Thanks a lot.
Advices or documentations.
As per the Microsoft documentation Backend Pools of Application Gateway can contain public ip address, so for your external APIM you can specify the public IP of the APIM, in you Application Gateway backend Pool.
But this doesn't make any sense, because now you are planning to use the application gateway and it supports a way to expose your APIs even if it is in internal vnet mode. As a security point of view it is better to move external APIM to internal mode.
If you want keep the external apim , then you have to find a way to restrict access to this external APIM only via application gateway, and all other direct access to APS should be blocked.
Users of ours running their code, on premise, access data we provide them via GCP's BigQuery API. It's a REST API with a client library wrapper.
We want to protect access to the BigQuery API backend with a firewall (in order to whitelist client IP's etc). What are the best options, preferably some GCP solution? Reading Google's documentation it's not clear if I can include the client's IP address in a GCP VPC, or if there's another way of doing it. Cloudflare also seems like an option, but I'd prefer to use a GCP offering.
I am pretty new to Authorization/Authentication with openid connect. I guess I lack some basic understanding on how to set up a proper backend infrastructure.
There's a keycloak server running through which I want to authorize/authenticate my customers.
The user logs in by his company credentials and then should be authorized/authenticated against our backend service, which provides a REST-API.
So our part is to implement the backend service and use openid connect as authorization/authentication.
Could you tell me what components/software needs to be implemented on our side?
Often the Authorization Server is an external cloud system that your UIs and APIs just point to, with URLs equivalent to this:
https://api.mycompany.com/myapi
https://web.mycompany.app/myapp
https://login.mycompany.com
Not sure if this quite matches your setup but typically you provide some or all of these domains:
API
Web Hosting
Authorization Server (Keycloak)
My personal preference is to use Local Developer PC Domains to match the above. If it helps you might just be able to repoint my Open Id Connect
Code Sample to your infra once configured, in order to verify that it works.
I would like to set up a oauth access for a node-red deployed on bluemix and access a multiuser dashboard. I think it should be done via the IBM Cloud Function API and use IBM Cloud App ID to protect it with the IBM Cloud API Gateway- that said - theres no way to connect those gateway functions to the dashboard webpages through bluemix that I can see. Has this use of node-red been done?
Note I am not trying to provide access to node-red flows only secure the Dashboard pages created with the multi-user node.
I have multi-user multi-sessions dashboard running but theres no current nodes to secure this - or flows that offer this functionality - I'm not even sure you could build oauth using flows. Perhaps a dedicated node that is built to provide ...perhaps fussing with bluemix-settings.js
I've researched Node-red capacity especially when deployed in IBM cloud and this is adequate. Node-red provides easy to provision cloudant access as well as dashboard functionality that I want to embed in a consumer mobile app.
So the point is to provide oauth for the public access of the dashboard and to protect the cloudant endpoints. As well as keep the functionality in the cloud rather than in the mobile app.
This is preferably a code-less solution.
Can you provide more information on dashboards? What do you mean by Dashboard pages created with the multi-user node?
There are node-red OAuth2.0 and OIDC plugins that can be integrated into the flows to secure them.
https://www.npmjs.com/package/node-red-contrib-openid
https://www.npmjs.com/package/node-red-contrib-auth-oidc
https://www.npmjs.com/package/node-red-contrib-simple-oauth2
Clients that communicate against a single point of entry via an API Gateway over HTTPS against a RESTful API
API Gateway: API Keys for tracking and analytics, oAuth for API platform authentication
User Micro service provides user authentication and authorization, generates JWT that is signed and encrypted (JWS,JWE)
Other micro services determine permissions based on claims inside JWT
Micro services communicate internally via PUB/SUB using JWT in the message and other info. Each micro service could be scaled out with multiple instances (cluster with a load balancer).
Question: Can I cluster the the API Gateway and have the load balancer in front of it. What do I need to consider with respect to managing authentication? ie: sharing of API Keys across the API Gateway cluster?
Extra notes, I'm planning on terminating SSL at the gateway and the use of bcrypt for passwords in the db.
Any feedback would be great, thank you.
Can I cluster the the API Gateway and have the load balancer in front
of it.
Yes, you can. Most of the good Api Gateway solutions will provide the ability to do clustering. e.g. https://getkong.org/docs/0.9.x/clustering/ or you can use cloud based Api Gateway: Azure API Management or AWS API Gateway
What do I need to consider with respect to managing authentication?
These specifics depends on your selection of API Gateway solution.