CMS Access via cloudfront access restricted to AWS VPN only - amazon-cloudfront

I have CMS website for which i need to access it via AWS VPN only, i have cloudfront on top of it. Question here is if i use AWS WAF then will it allow AWS VPN CIDR block to access the site when user connect via VPN for remote user and others from office user allowing WAN IP address.

Related

How to build a web server in GCP with the Internal IP restriction

I am planning to build a back office Machine Learning Model Performance Monitoring Dashboard using Python Flask in GCP(Google Cloud Platform) with Internal (Private) IP restriction. However, when I deploy this into QV environment, the only approach I know to access the webpages is by using IAP, which is not convenient for other non-technical users.
Does anyone know what is the best practice to build a webserver for an enterprise internal use in GCP?
You need to have several condition to access to your private IP from your company:
The users need to be on the entreprise network
The entreprise network needs to be connected to your VPC (VPN, interconnect, maybe peering on GCP)
The entreprise router/firewall must route the traffic to the Google Cloud reserved ranges through the VPN/interconnect. The firewall must allow the correct traffic (HTTP, HTTPS?) to GCP
If you use domain name in your QV environment, you need to register your VM private IP in your entreprise DNS to allow the users' browser to resolve the QV domain name and use the private IP which will be routed through the VPN/interconnect to Google Cloud.

Deploy website on azure virtual machine and access on internet

I want to deploy a website on azure IIS by using server 2016(Azure VM), and want to access it anywhere on the internet. How can I do this?
Which ip address I've to use for this purpose?
There are several steps to acheive this deployment on IIS.
1.Install IIS on azure VM.
https://devblogs.microsoft.com/premier-developer/set-up-iis-on-windows-virtual-machine/
2.Create a website for publish
Please remember to grant permission for authenticated user like IUSR and application pool identity
https://support.microsoft.com/en-gb/help/323972/how-to-set-up-your-first-iis-web-site
3.Set Azure VM firewall to allow your port like 80
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/nsg-quickstart-portal
4.Publish your website.
You could achieve this via simple copy action in Remote desktop or VS web deployment
Just ensure your website can be accessed via telnet or tcping.exe. I remember ping is blocked by Azure VM.
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/publish-web-app-from-visual-studio
5.Try to access from both internal IP address and external firewall IP address.
If you could access from internal IP which means your IIS site has been built correctly.
If the website can be access from external. Then you have finished the publish.
6.If you want to access website from public domain.
Then you have to purchase domain name from public domain provider. Then bind your domain to your public IP address on their portal. As long as the website can be accessed from external. It would work with domain name.

Resolving On-Premise DNS and Google Cloud Internal DNS Together

I have a question about Cloud DNS or Cloud VPN i don't know which is exactly related with my issue. I have a on-premise network and i have an internal dns for this network which is example.int. I've connected via Cloud VPN this on-premise network with a Cloud VPC in my Google Cloud account.
Both of my resources can access each other correctly but my VM's in Google Cloud vpc does not resolve my dns servers in my on-premise network. For example i can access my on-premise server via it's ip adress from Google Cloud VM but i cannot access it via on-premise-vm-1.example.int domain.
If i use my on-premise dns nameservers in resolve.conf i can access on-premise server but in that case .c..internal dns adresses do not work in my vpc. I want to use both of them.
What should i do you think? I could not find any working documentation for it. I want to resolve my on-premise and google cloud internal dns zones from my gcloud vms. Is there any way to do it without making any change on resolve.conf file in my all servers?
Thanks in advance
I try to change Cloud DNS server policies but when i try to change alternate dns servers in there, i cannot access my .internal dnsses due to metadata server. However, i cannot even access my example.int dnsses.
I also try to adding example.int dns into Cloud VPC as private dns zone. It also did not work.
In this case I would recommend to use GCP Cloud DNS private forwarding and point your desired on-prem internal DNS name to your on-prem DNS server.
Be aware that the requests will be coming from 35.199.192.0/19, son in your VPN you should include this range to be reached from your GCP project.
A workaround might be to manually create an internal Cloud DNS zone on your GCP project and manually update your DNS registries there too, the downside about this is that any change you want to make you should make it on both sides.

How to allow users over VPN to access Azure Web App

We have an Azure Web App and Azure VPN, we've locked down the web app so it's accessible internally only by granting/restricting access via IP addresses (via Access Restrictions page). However users over our VPN are not able to access the web app - when they connect over VPN, the user's external IP address is not from our internal network. We do not want to whitelist everyone's IP address.
If we had the internal IP address of the web app, we have a few options we could try, but we assume this is not available to us.
How would we allow access to a web app for users over a VPN?
Is this something API Management would solve?
If you don't want to whitelist everyone's IP address. You could involve front-ending the Web App with an Azure Application Gateway and restricting access to the Web App such that only connections from the Gateway are allowed.
Azure Application Gateway is a web traffic load balancer. It has a public or a private frontend or both backends, it must deploy in a dedicated subnet. The subnet also supports to restrict the network inbound and outbound traffic with NSG. In this case, you can deploy a private app GW, then the users over VPN will send the HTTP/HTTPS requests to the APP GW frontend, the APP GW receives the requests via Listener and routes the traffic to the appropriate backends based on the routing rules. An application gateway can communicate with to on-premises servers when they're connected by Azure ExpressRoute or VPN tunnels if traffic is allowed. See supported backend pools and how an application gateway works.
You could get more references from the third way in this blog.

IIS legacy Web app through firewall only visible in Salesforce

We have a legacy app that is hosted on an IIS7 web server on our LAN. I'd like to embed it in our Salesforce org so that remote employees can access it without using VPN as some of the customer sites they work at do not allow the ports the VPN requires. If I use an iframe is there a way in IIS to limit the requesting "source" to a specific URL? I don't want the app accessible anywhere but, from within Salesforce.
I mistakenly tried limiting the firewall pass through/NAT rule to only allow SF IP addresses but, in that case the requesting source is actually the IP of the client not SF so that doesn't work.

Resources