I would like to configure my external domain name to my load balancer in rancher.
I have a domain name mydomain.com via loopia.com
I have Load balancer in Rancher with FQDN: lb.lb.tothis.com
and within the Load Balancer, I have setup the rules with request host to be mydomain.com and point to a target container within Rancher.
At this point, I'm not sure how to set it correctly.
I've tried to setup A Record at root dns (#) and www using one of the IP that return from lb.lb.tothis.com using this https://toolbox.googleapps.com/apps/dig/#A/
but it seems it does not work
I have tried to set CName in wildcard * that point to lb.lb.tothis.com but it also does not help either.
What do I miss to configure to make this work?
Thank you!
You should first point to the IP of the node where your service is running and then in the firewall that is in front of your network you should create a NAT and DNAT rule to canalize the traffic to the node.
Related
I have an ECS cluster in which I run a task with many container. Three of them need to be reached from the internet. These container are exposed on port 80, 8080 and 8880 of the cluster's ec2 instance.
I have a DNS name registered (say example.com), and I can create a CNAME record that points to the ec2 dns name, but if I do so, the app will be reachable as
example.com:80
example.com:8080
example.com:8880
Instead what I would like to do is to reach the three container like this:
app1.example.com (instead of example.com:80)
app2.example.com (instead of example.com:8080)
app3.example.com (instead of example.com:8880)
I can't do it with the DNS CNAME because is not possible with CNAME to redirect to specific ports.
I hope the question make sense.
Any suggestion from anyone would be appreciate.
Thanks in advance!
You will need to place an AWS Application Load Balancer in front of the ECS containers in order to accomplish this. You would have 3 different target groups (one for each container) and configure the Load Balancer to use host-based routing to send the traffic to the appropriate target group/container.
I need to prevent users from accessing the site through the External IP Address on Compute Engine, they should can access site only via domain name (www.some-domain.com), not the IP Address itself.
Let says the instance's IP Address of the Compute Engine is A.A.A.A. I am using Load Balancer to redirect it to secure connection, with these settings:
Frontend
HTTP : B.B.B.B:80
HTTPS : B.B.B.B:443
Backend
Redirected to the active instance
And I pointing the DNS (A) to B.B.B.B.
Now, I am able to access https://www.some-domain.com. But the problem is, I still can access the site with A.A.A.A and B.B.B.B.
This is my current firewall configuration:
How to prevent this? Thanks.
Well, there are a couple of things you can do:
1- Remove External IP from VM instance
2-Create specific firewall rule to only allow access to an specific subnet range
Let me elaborate:
For 1:
Using web console, You only need to edit the VM details, go to network interfaces settings and choose none over External IP drop menu, save the new configuration. All of this can be done without stop the VM instance.
For 2:
Create a couple of firewall rules with the same configuration from default-allow-http and default-allow-https, but at "Filter" you need to specify the "public" subnet range you want to allow (your data center range for example). These new firewall rules must have a lower value at priority to have more preference over the existing ones. Once you validate is working properly you can delete the old ones Video GCP Firewall.
I hope that helps, if you need more assistance just write me a comment
Your problem is very similar to configuring the Google Identity Aware Proxy, which is part of the Google Beyond Corp architecture and, providing your users have Google IDs is very effective.
The docs explain the process for setting up the IAP but it also helps explain how to configure the moving parts. You need to:
Set your A record on your DNS to the public front-end of your load balancer
Configure your firewall rule on your GCE instance to not permit any traffic from the Internet, but only allow from the load balancer. The load balancer has a helpful graphic to show the rules.
Configure your load balancer back end to direct traffic from your front-end to the GCE instance. I have TLS over the internet to the LB and then HTTP from the LB to my instance but you don't have to
Your load balancer will then take the HTTP/S traffic and forward to the back end using the forwarding rule that you set up when configuring it. If you try to go to the instance IP directly then the firewall will block you, for testing you can enable an allow from your client IP and then you will see that you don't get the headers
here's how I fixed this issue:
In your GCP Account.
Go to VPC Networks then to Firewall rules
You need to create 2 Firewall rules:
1) Allow all traffic coming from google health checks and your own load balancer.
Priority: 500
Direction: Ingress
Action on match: Allow
Target tags:if you want to apply this rule only to 1 instance, then, open the VM Instance, edit it, create the specific network target tag, save it and then, add it here.
IP ranges: 35.191.0.0/16 and 130.211.0.0/22 https://cloud.google.com/load-balancing/docs/https#source_ip_addresses
2) Deny all traffic.
Priority: 900
Direction: Ingress
Action on match: Deny
Target tags: put here the same network target tag(s).
IP ranges: 0.0.0.0/0
That's it. If you put the IP of the VM Instance in the your browser, it will fail. The access will be forced through the Load Balancer.
In the GCP project menu
I wanted to create an Alias record that simply points my naked domain name (zone apex) to a simple elastic IP address associated with a single EC2 instance. But that type of target isn't valid. It looks like the Alias Record targets are only limited to
Elastic Load Balancers (ELB's)
S3-Endpoints
Cloudfront Distributions
Other DNS Record Sets.
Can anybody shed some theoretical light as to why I am unable to use the A-record to point the domain to a simple EC2 with an ip address? Thanks.
Basic DNS 101
Yes. Create an A record containing the IP address of your instance. It isn't an alias, and it shouldn't be an alias.
Your issue is that your web server itself or Wordpress is misconfigured and is actively issuing redirects to what it wrongly believes to be the correct/desired name, which has nothing to do with how this A record is provisioned. Review your response headers and you will find a 30x HTTP response coming from your web server.
I have a problem where I can't browse a website hosted on an Amazon EC2 IIS instance by domain name. I can browse it by the public elastic IP address I assigned to the instance.
I created a DNS A record pointing a sub domain to the public Elastic IP address. www.whatsmydns.net shows that it is propagated. However, I can't ping my subdomain (ping cannot find the host).
In IIS I created a binding for my subdomain pointing to the private IP address for the elastic IP.
I don't think it matters, but I also created a binding for an empty host name and * for the IP address to be able to connect by the public IP.
I'm completely new to EC2 and thought I wasn't doing something correctly with the elastic IP and/or IIS binding but it's troubling that I can't ping the subdomain. Or, maybe that is expected since I can't browse the site either.
Where have I gone wrong? What should I try/check next?
You can't ping the EC2 instance because by default the security group assigned to your EC2 instance will be blocking ping. To unblock it, modify your security group and add a Custom ICMP Rule to allow Echo Request and Echo Reply.
As for getting your DNS to work within IIS, if I were you to start with, I'd remove all bindings from IIS and then see if you get anything when using your subdomain.
Double check that your subdomain definitely resolves to your elastic IP, you can do this through a command prompt, e.g. nslookup subdomain.domain.com
I have set up an EC2 instance and an Elastic IP which is associated to the instance. I have also set an A record in my DNS provider's Zone editor so that the domain name points to the elastic IP e.g. example.com = 123.123.123.123.
After reading many posts, this seems like it should be enough to work but my domain name still isn't resolving. I can't even ping the IP address! Weirdly I CAN ssh into the EC2 instance via the elastic IP and everything seems fine, except that my domain name doesn't resolve to the EC2 instance!
Any thoughts?
DNS names take a while to propagate so that is probably your first issue.
Go to http://www.whatsmydns.net/ and enter your domain name. If all of the locations are returning with the correct ip then you can safely assume its not a DNS propagation issue.
Enable ICMP rules in the security group. If using the aws console create a new rule for "All ICMP" with a source of "0.0.0.0/0". Enabling this creates a security risk for your server so only enable this temporarily while testing. At this point you should be able to ping your instance.
If using HTTP or HTTPS enable the correct ports on the security group for those protocols and as long as the instance is configured correctly with Apache you should be up and running.
Please check your EC2 security group & make sure desired ports are open