I want to test my data-plane application and I want to find out if there is a way using containers.
After I bring up a container with my app in it, can I direct all my machine-generated Internet traffic to the container, process that traffic in my application and send it back down to the host network namespace and out the physical interface (say, eth0)?
Example:
I access Facebook and all traffic (DNS/UDP, HTTPS/TCP) for this should go to my container app in the same machine, get processed by my application and then sent out via eth0. Return traffic from the Internet comes back into my app first and then sent to the host client (browser here).
Related
I am developing a chat app in android using soocket.io. This app needs to communicate with one of the nodejs application listening at port 4000 in my Google cloud Virtual machine through internet.
GCP provided internal and external IP. When I run the internalIP:4000 in browser of VM, I can see it is running fine. But outside of the VM, when I run ExternalIP:4000 it is giving error. I don't know why it is not working.
This is the firewall configurations
So you already established that your service is running fine and is on a correct port (4000).
Now you have to expose to the Internet. By default this port is blocked for any traffic by GCP's Firewall. This way only ports for SSH, RDP or ICMP protocols are open to be able to connect to your VM's. If you need non-standard port you have to create apropriate firewall rule.
You can create it by running using Cloud Shell or running this in your VM's command prompt:
gcloud compute --project=my-project-name firewall-rules create my-app-port \
--direction=INGRESS --priority=1000 --network=default \
--action=ALLOW --rules=tcp:4000 --source-ranges=0.0.0.0/0 \
--target-tags=my-app-server
or create it using Cloud Console. Have a look at the documentation if you have any doubts.
In my example I used my-app-server network tag. You need to add it to your VM that runs the app server - otherwise the rule won't work. It's best to do it this way since you're only exposing one additional port on a single VM which is safest possible solution.
I have many IoT clients that will soon be in the field. I want some way to have full access to the Device Portal currently on port 8080 without it being publicly exposed.
My thoughts are to develop a management server that accepts connections from multiple clients with keep alive. The connection from the IoT could be net sockets but that is open for feedback.
The management server would show the connection status of each IoT device. It would have the functionality to launch a browser session with the connected IoT device. The IoT device would serve the local Device Portal:8080 through the socket to the management servers browser session. Interaction from the management servers browser session would be transmitted back through the socket and in turn interact with the Device Portal.
I have looked over information for a few days and can’t find examples of website interaction through sockets. I request your feedback on such an approach and also ask is there are any open source projects that may assist in getting to this goal.
Thank you
Have a look at https://openport.io. It does exactly what you ask.
A socket is just a software representation of a TCP connection. Ports would still be required. At least 1 port anyway. If you are accessing all those devices on the same network, you can use a reverse proxy or a VPN for external access into your network and those devices. Always use an SSL cert or IPsec Tunnel for the Proxy or VPN connection. If you open up your firewall on 80 and/or 443 to your Apache web server, apache could redirect to the backed 8080 port. Alternatively, OpenVPN could be used to give you access to the entire network by just opening port 1154 and setting up the configurations. If using OpenVPN, you would still route to the device portal on 8080, as usual, using your internal IP or host name.
If all your devices are on the same network, the nice thing about using VPN to get in is that you can connect to OpenVPN on your cell phone and then connect via SSH with an app like Termius on IOS, or any other SSH capable IOS App to your IoT device, and get things done quickly; like rebooting IoT devices, setting permissions, checking logs on the go.
Lastly, if your planning to pay for Azure, you could do that, I guess ($$$)
https://azure.microsoft.com/en-us/pricing/details/iot-hub/
I have a build server with Jenkins running as a Windows Service.
It runs at the local 8080 port.
I want to be able to view the jobs dashboard at any machine by typing the correspondent address in a web browser.
Something like {DNS}:8080/myView.
What I need to define in the Jenkins/Azure to make this happen?
4 moving parts here, you don't really have to do anything on Jenkins part, apart from running it:
VM should have public IP, or you should have some kind of routing to the VM on the port you are interested in.
Network Security Group should permit traffic on the port of interest (8080) (both on the Subnet and on the Network interface) Link
Firewall on the VM should allow traffic on the port of interest.
Application on the VM (Jenkins in your case) should listen to the traffic on the port of interest.
It looks like one have to add an endpoint at the Azure VM. In any case, that's what's worked for me.
I'm new to Azure (strike 1) and totally suck at networking (strike 2).
Nevertheless, I've got two VMs up and running in the same virtual network; one will act as a web server and the other will act as a SQL database server.
While I can see that their internal IP addresses are both in the same network I'm unable to verify that the machines can communicate with each other and am sort of confused regarding the appropriate place to address this.
Microsoft's own documentation says
All virtual machines that you create in Windows Azure can
automatically communicate using a private network channel with other
virtual machines in the same cloud service or virtual network.
However, you need to add an endpoint to a machine for other resources
on the Internet or other virtual networks to communicate with it. You
can associate specific ports and a protocol to endpoints. Resources
can connect to an endpoint by using a protocol of TCP or UDP. The TCP
protocol includes HTTP and HTTPS communication.
So why can't the machines at least ping each other via internal IPs? Is it Windows Firewall getting in the way? I'm starting to wonder if I've chose the wrong approach for a simple web server/database server setup. Please forgive my ignorance. Any help would be greatly appreciated.
If both the machines are in the same Virtual Network, then just turn off Windows Firewall and they will be able to ping each other. Other way is to just allow all incoming ICMP traffic in Windows Firewall with Advanced Settings.
However there is a trick. Both the machines will see each other by IP Addresses, but there will be no name resolution in so defined Virtual Network. Meaning that you won't be able to ping by name, but only by direct IP address. So, if want your Website (on VM1) to connect to SQL Server (on VM2), you have to address it by full IP Address, not machine name.
The only way to make name resolution within a Virtual Network is to use a dedicated DNS server, which you maintain and configure on-premises.
This article describes in details name resolution scenarios in Windows Azure. Your particular case is this:
Name resolution between virtual machines and role instances located in
the same virtual network, but different cloud services
You could potentially achieve name resolution, if you put your VMs is same cloud service. Thus you will not even require dedicated virtual network.
If your VMs are inside a Virtual Network in Azure, then you have to make sure two things.
Required Port is enabled.
Firewall is disabled on the server.
I was trying to connect to one VM where SQL Server DB was installed, from another VM. I Had to enable 1433 port in the VM where SQL was installed. For this you need to add an MSSQL endpoint to the VM on the azure management portal. After that i disabled windows firewall. Then i was able to connect to the VM from another.
I would like to host a firebird database in an Azure virtual machine.
Normally, I would indicate in a program a connection like this:
hostname:databasename
....to connect to remote host. In azure, you cannot do that.
I would need to connect with something like:
?.cloudapp.net:someport:databasename
The client would be talking to ?.cloudapp.net thinking that someport is the port to communicate with the database server.
So it seems I would need a proxy to login-connect to windows azure cloud resources and the client would then use the proxy to talk with the database server. This looks like a hassle - are there any alternatives?
I'm not entirely sure of your Cloud architecture in Azure, but assuming you have one VM with your DB installed you should be able to open up a a public endpoint (via the portal manage.windowsazure.com for your Cloud Service) and connect to that via it's public IP address & the port).
Windows Azure does have more advanced features that allows you to connect to specific VM's within a Cloud Service via Port Forwarding.
Michael Washam has a great blog post on this 'Windows Azure Virtual Machines':
http://michaelwasham.com/2012/06/08/understanding-windows-azure-virtual-machines/
The architecture of cloud services makes endpoint configuration
interesting. Since each cloud service has a single public IP address
but multiple virtual machines can reside in it how do you address
individual servers directly in a non-load balanced fashion?
Port forwarding allows you to configure an endpoint on a specific VM
listening on any of the ephemeral ports that will then be forwarded to
the correct internal port.