I have placed the installation scripts and files on Blob storage at Azure.
Now I want only specific users/clients to access this storage area and download the installation scripts and files.
In order to accomplish this, I'm using Shared Access Signatures (SAS). So I Generate SAS for script file(s). But when it comes to "Allowed IP addresses", I can only specify one IP address or range of IP addresses. While I've 3 different clients at moment (which will increase in future), and they all have their different IP addresses. So how can I specify these 3 separate IPs in here?
Any assistance in this matter is highly appreciated. Also if there is any other possible / recommended solution for my requirement then please guide me to that as well, if possible. I'm open to any alternate better option.
Thanks
So how can I specify these 3 separate IPs in here?
In a single SAS, you can either specify a single IP address (e.g. 10.2.1.80) or an IP address range (10.2.1.80-10.2.1.90).
In your case, you will need to generate a separate SAS token for each client with their respective IP address.
Related
I am doing a lift and shift with software from an on-premises architecture. There are two servers (main and auxiliary) that have to talk to one another over the network. I currently have tested and confirmed that I can manually add their hostnames and private IP address to the hosts file ("C:\Windows\System32\drivers\etc\hosts") and the software works fine.
For those that don't know, this file is used by Windows to map a network hostname like EC2AM-1A2B3C to a IP address. So if I added the hostname and IP address of the main server into the hosts file of the auxiliary server, then the auxiliary server could route to the main server. (i.e. PS> ping EC2AM-1A2B3C would then work).
How could I pass the required information to both servers? They both have to know the other server's private IP address and hostname. If this is not possible at server spin-up time, how might the servers connect and pass this information? I would really like to automate this if possible.
According to your description, I have some suggestions that you can refer to.
If you want two EC2 instances to be able to communicate with each
other, you can use the method of adding rules to the security group.
(1) Create security groups for your instance 1 and instance 2 respectively.
(2) Add an inbound rule to the security group of instance 1, chose "ICMP-ipv4". Enter the security group ID of instance 2.
(3) Create the inbound rule for instance 2 in the same steps.
For more information on security group rules you can refer to the official document.
You have tried adding the hostname and IP address of the primary
server to the host file of the secondary server. To tell each other
the IP Address of the other machine. Amazon CloudFormation cannot
handle the circular dependency between the two instances.
You can refer to the answer of this question. To realize that both instances know each other's IP address.
Hope these suggestions are useful to you.
Our software uses Azure.Core, Azure.Storage.Blobs and Azure.Storage.Common to interact with Azure Blob Storage Accounts held in North Europe (i.e. Ireland)
We store files in various containers in such Storage Accounts
Some of our clients have very strict policies regarding access to "the internet" and we are asked to provide some information about this, and I have to admit I'm not sure.
I can do something like ping someblobaccounthere.blob.core.windows.net and that will give me an IP address, but will it always be the same IP address? How do Azure.Storage.Blobs and associated DLLs interact with such an account?
Are the requests made through HTTPS or are these DLLs interacting through other protocols, do I need to tell them to open certain ports or will default ports such as 443 and (80 for http) work? Will this play nice with proxies?
I did have a bit of a google around but my Google Fu is failing me and I'm not finding clear answers.
Our apps are built for .NET Framework 4.8 - in case that is significant.
You can view/download the ip ranges from this link:
This file contains the IP address ranges for Public Azure as a whole, each Azure region within Public, and ranges for several Azure Services (Service Tags) such as Storage, SQL and AzureTrafficManager in Public. This file currently includes only IPv4 address ranges but a schema extension in the near future will enable us to support IPv6 address ranges as well. Service Tags are each expressed as one set of cloud-wide ranges and broken out by region within that cloud. This file is updated weekly. New ranges appearing in the file will not be used in Azure for at least one week. Please download the new json file every week and perform the necessary changes at your site to correctly identify services running in Azure.
IMHO Azure storage should be configured to use https only so the https port should be open.
I have a url as below from Azure Portal
https://qwergeneralstorage.blob.core.windows.net/sqldb/DBNAME-Test.bacpac?sp=r&st=2018-07-11T02:12:52Z&se=2018-07-13T08:12:52Z&spr=https&sv=2017-11-09&sig=%2FYrtyuZtl5eJdfj07mTtKjbol8J9d1%2thyuJ%klemhg%3D&sr=b
How can I determine the IP address from this?
If you want to get the IP Address, you could use cmd to ping the url host name.
But you need to note that the IP Address changes every week. You could download the xml file in this link, then check the IP Address range of different regions in the file.
Details
This file contains the IP address ranges (including Compute, SQL and Storage ranges) used in the Microsoft Azure Datacenters. An updated file is posted weekly which reflects the currently deployed ranges and any upcoming changes to the IP ranges. New ranges appearing in the file will not be used in the datacenters for at least one week. Please download the new xml file every week and perform the necessary changes on your site to correctly identify services running in Azure.
I would like set DNS records visible from instances inside the Google cloud.
For example if I query DNS from my PC I'll get one IP; however if I query DNS from the instance I'll get another IP. (A record to be exact)
Ideally I'd like doing this in most sane/convenient way possible; since I can install caching DNS server on every instance and setup authorative results; and forward caching for the rest (I guess bind9 can do that, never tried it before). But this is configuration sync mess; and it's not elegant. I kinda assume there might exist a better way.
One solution is to use totally different zones for different sets of machines and use the DNS search path to select.
So for example you could set up
server1.internal.yourdomain.com IN A 1.2.3.4
server1.external.yourdomain.com IN A 5.6.7.8
Then set up your machines with resolv.conf containing either
search internal.yourdomain.com
or
search external.yourdomain.com
And then when you lookup server1 on such a machine it will return the address from the appropriate zone. This scheme means you don't need to rely complex routing or IP detection. You will be immune to incidents where internal or external IPs get leaked into each others result.
Of course this does mean that you aren't keeping any IP addresses secret, so make sure you have other security layers in place (you probably shouldn't rely on secret IPs for security anyway)
Assuming you want your VM instances to be able to query other instances by name, and retrieve the desired instance’s private IP, this is already baked into GCP.
Google Cloud Platform (GCP) Virtual Private Cloud (VPC) networks have an internal DNS service that allows you to use instance names instead of instance IP addresses to refer to Compute Engine virtual machine (VM) instances.
Each instance has a metadata server that also acts as a DNS resolver for that instance. DNS lookups are performed for instance names. The metadata server itself stores all DNS information for the local network and queries Google's public DNS servers for any addresses outside of the local network.
[snip]
An internal fully qualified domain name (FQDN) for an instance looks like this:
hostName.c.[PROJECT_ID].internal
You can always connect from one instance to another using this FQDN.
Otherwise, if you want to serve up entirely arbitrary records to a set of machines, you’ll need to serve those records yourself (perhaps using Cloud DNS). In this case, you’d need to reconfigure the resolv.conf file on those instances appropriately (although you can’t just change the file as you see fit). Note that you can't restrict queries to only your own machines, but as David also mentioned, security through obscurity isn't security at all.
Google Cloud DNS Private DNS was just announced to beta and does exactly what you need
Does anybody know if it's possible to change the IP address of a site hosting on Windows Azure Cloud Services.
We currently have a site hosted in the 'North Europe' location, however the GEO IP of the IP Address assigned returns USA. This is causing problems with an API we have started using that can only be access within the UK checked via GEO IP Location.
Within the region of 'North Europe' however, there are a couple of IP ranges that have ip addresses that consistently return 'Dublin/UK' which will be ideal for what we need.
So, does anybody know if this is possible? we don't have technical support on the plan we use, which is why I'm asking here.
Thanks in Advance,
Bav
I'm not aware of a way to change the IP address. At least not without deleting the deployment and recreating (which would likely assign a new IP address). That doesn't guarantee you'll get what you're after though.
This does seem to be a known issue though:
http://blogs.msdn.com/b/wats/archive/2014/05/10/microsoft-azure-datacenter-s-ip-location-shows-incorrect-location-when-using-ip-geolocation-services.aspx
http://azure.microsoft.com/blog/2014/06/11/windows-azures-use-of-non-us-ipv4-address-space-in-us-regions/
Azure support may be able to help, but that likely requires a support plan. :(
You normally can't control the public IP address of your cloud service. This is partially controlled by the region you select, but not entirely.
As part of the most recent Azure update, however, you can reserve a public IP address that will never change as long as you keep the reservation. These are not free, but they're probably your only option.
See: http://azure.microsoft.com/blog/2014/05/14/reserved-ip-addresses/
Now, this still won't let you pick your IP - but you could keep requesting reservations until you get one you like.
Lastly, as another answered suggested, there is no way to change the IP of a cloud service post-deployment. You must delete the deployment to get a new IP. (Or change network configuration, or rename the cloud service / get a new DNS name, etc.)