How to prevent public access to Compute Engine External IP Address? - security

I need to prevent users from accessing the site through the External IP Address on Compute Engine, they should can access site only via domain name (www.some-domain.com), not the IP Address itself.
Let says the instance's IP Address of the Compute Engine is A.A.A.A. I am using Load Balancer to redirect it to secure connection, with these settings:
Frontend
HTTP : B.B.B.B:80
HTTPS : B.B.B.B:443
Backend
Redirected to the active instance
And I pointing the DNS (A) to B.B.B.B.
Now, I am able to access https://www.some-domain.com. But the problem is, I still can access the site with A.A.A.A and B.B.B.B.
This is my current firewall configuration:
How to prevent this? Thanks.

Well, there are a couple of things you can do:
1- Remove External IP from VM instance
2-Create specific firewall rule to only allow access to an specific subnet range
Let me elaborate:
For 1:
Using web console, You only need to edit the VM details, go to network interfaces settings and choose none over External IP drop menu, save the new configuration. All of this can be done without stop the VM instance.
For 2:
Create a couple of firewall rules with the same configuration from default-allow-http and default-allow-https, but at "Filter" you need to specify the "public" subnet range you want to allow (your data center range for example). These new firewall rules must have a lower value at priority to have more preference over the existing ones. Once you validate is working properly you can delete the old ones Video GCP Firewall.
I hope that helps, if you need more assistance just write me a comment

Your problem is very similar to configuring the Google Identity Aware Proxy, which is part of the Google Beyond Corp architecture and, providing your users have Google IDs is very effective.
The docs explain the process for setting up the IAP but it also helps explain how to configure the moving parts. You need to:
Set your A record on your DNS to the public front-end of your load balancer
Configure your firewall rule on your GCE instance to not permit any traffic from the Internet, but only allow from the load balancer. The load balancer has a helpful graphic to show the rules.
Configure your load balancer back end to direct traffic from your front-end to the GCE instance. I have TLS over the internet to the LB and then HTTP from the LB to my instance but you don't have to
Your load balancer will then take the HTTP/S traffic and forward to the back end using the forwarding rule that you set up when configuring it. If you try to go to the instance IP directly then the firewall will block you, for testing you can enable an allow from your client IP and then you will see that you don't get the headers

here's how I fixed this issue:
In your GCP Account.
Go to VPC Networks then to Firewall rules
You need to create 2 Firewall rules:
1) Allow all traffic coming from google health checks and your own load balancer.
Priority: 500
Direction: Ingress
Action on match: Allow
Target tags:if you want to apply this rule only to 1 instance, then, open the VM Instance, edit it, create the specific network target tag, save it and then, add it here.
IP ranges: 35.191.0.0/16 and 130.211.0.0/22 https://cloud.google.com/load-balancing/docs/https#source_ip_addresses
2) Deny all traffic.
Priority: 900
Direction: Ingress
Action on match: Deny
Target tags: put here the same network target tag(s).
IP ranges: 0.0.0.0/0
That's it. If you put the IP of the VM Instance in the your browser, it will fail. The access will be forced through the Load Balancer.
In the GCP project menu

Related

How to block internet for everyone except for one single IP in Azure VM

I have a requirement on Azure VM wherein I want to block internet access to all the IP's except for 1 single IP(which would be mine).
I'm able to block internet access for everyone by creating a Deny OutBound rule for everyone. However, when I'm creating an Allow rule with my public address with a higher priority, I'm still unable to access Internet. My understanding is that the first rule will block internet for everyone and the second rule(with higher priority) will only allow my IP to have internet access.
Can someone please check and let me know what I'm doing wrong here?
I'm attaching the screenshot of my OutBound rules.
In the outbound port rule section, the source address is the IP address of your Azure VM and destination is the target you want to reach, so add your IP address there (in the images below the target IP would be 142.250.185.110)
By the way, a nice tool to check your connectivity in Azure is "Network Watcher" - search for it in the Azure Portal, then go to "IP flow verify", enter your target VM and the destination (remote) target you want to reach. Network watcher tells you if the request would go through and if not, which rule is blocking it:

Restrict inbound traffic to only come through Azure Load Balancer

Please can someone advise how to restrict access on port 80/443 to some Azure VMs, so that they can only be access via the public IP Address that is associated to an Azure Load Balancer.
Our current setup has load balancing rules passing through traffic from public IP on 80=>80 and 443=>443, to back end pool of 2 VMs. We have health probe setup on port 80. Session persistence is set to client IP and floating IP is disabled.
I thought the answer was to deny access (via Network Security Group) to internet (service tag) on 80/443. Then add rule to allow service tag (AzureLoadBalancer) on the same ports. But that didnt seem to have an effect. Having read up a little more on this, it seems the AzureLoadBalancer tag is only to allow the health probe access and not specifically inbound traffic from that load balancer.
I have also tried adding rules to allow the public IP address of the load balancer, but again no effect.
I was wondering if I need to start looking into Azure Firewalls? and somehow restrict access
to inbound traffic that comes through that?
The only way I can get the VMs to respond on those ports is to add rules to allowing 80/443 from any to any....
After reading your question, my understanding is that you have a Public load balancer and the backend VMs also have instance level Public IPs associated with them and hence direct inbound access to the VMs is possible. But you would like to make sure that the direct inbound access to VMs is restricted only via the load balancer.
The simple solution for you to achieve this is by disassociating the instance level public IP of the VMs, this will make the LB public IP as the only point of contact for your VMs.
Keep in mind that the LB is not a proxy, it is just a layer 4 resource to forward traffic, therefore, your backend VM will still see source IP of the clients and not the LB IP, hence, you will still need to allow the traffic at the NSGs level using as source "Any".
However, if your requirement is to enable outbound connectivity from Azure VMs while avoiding SNAT exhaustion, I would advise you to create NAT Gateway, where you can assign multiple Public IP address for SNAT and remove the Public IP from the VM. This setup will make sure that the inbound access is provided by the Public load balancer only and the outbound access is provided by the NAT gateway as shown below:
Refer : https://learn.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-gateway-resource#nat-and-vm-with-standard-public-load-balancer
https://learn.microsoft.com/en-us/azure/virtual-network/nat-gateway/tutorial-nat-gateway-load-balancer-public-portal
You could also configure port forwarding in Azure Load Balancer for the RDP/SSH connections to individual instances.
Refer : https://learn.microsoft.com/en-us/azure/load-balancer/manage#-add-an-inbound-nat-rule
https://learn.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal

GCP: Allowing Public Ingress Web Traffic from the Load Balancer ONLY

Disclaimers: I come from AWS background but relatively very new to GCP. I know there are a number of existing similar questions (e.g, here and here etc) but I still cannot get it work since the exact/detailed instructions are still missing. So please bear with me to ask this again.
My simple design:
Public HTTP/S Traffic (Ingress) >> GCP Load Balancer >> GCP Servers
GCP Load Balancer holds the SSL Cert. And then it uses Port 80 for downstream connections to the Servers. Therefore, LB to the Servers are just HTTP.
My question:
How do I prevent the incoming HTTP/S Public Traffic from reaching to the GCP Servers directly? Instead, only allow the Load Balancer (as well as it's Healthcheck Traffic)?
What I tried so far:
I went into Firewall Rules and removed the previously allowing rule of Ports 80/443 (Ingress Traffic) from 0.0.0.0/0. And then, added (allowed) the External IP address of Load Balancer.
At this point, I simply expected the Public Traffic should be rejected but the Load Balancer's. But in reality, both seemed to be rejected. Nothing reached the Servers anymore. The Load Balancer's External IP wasn't seemed to be recognised.
Later I also noticed the "Healthchecks" were also not recognised anymore. Therefore Healthchecks couldn't reach to Servers and then failed. Hence the Instances were dropped by Load Balancer.
Please also note that: I cannot pursue the approach of simply removing the External IPs on the Servers. (Although many people say this would work.) But we still want to maintain the direct SSH accesses to the Servers (by not using a Bastion Instance). Therefore I still need the External IPs, on each and every Web Servers.
Any clear (and kind) instructions will be very much appreciated. Thank you all.
You're able to setup HTTPS connectivity between your load balancer and your back-end servers while using HTTP(S) load balancer. To achieve this goal you should install HTTPS certificates on your back-end servers and configure web-servers to use them. If you decided to completely switch to HTTPS and disable HTTP on your back-end servers you should switch your health check from HTTP to HTTPS also.
To make health check working again after removing default firewall rule that allow connection from 0.0.0.0/0 to ports 80 and 443 you need to whitelist subnets 35.191.0.0/16 and 130.211.0.0/22 which are source IP ranges for health checks. You can find step by step instructions how to do it in the documentation. After that, access to your web servers still be restricted but your load balancer will be able to use health check and serve your customers.

Azure Advisory: Web ports should be restricted on NSG associated to your VM

What can I do to fix this Advisory message?
The VM this relates to is a webserver, which sits behind an Azure LoadBalancer. The NSG rule that is causing this (only 1 'not default rule' ) is:
Type: Allow
Source: Service Tag - Internet, source port range = *
Destination: ASG for this VM, destination port 80,443, protocol tcp
If I remove this rule, the message disappears (after some hours) but than the internet web traffic can not reach the VM anymore.
Should I ignore the Azure Advisory message? Or am I overlooking something? I was looking forward to getting this nice and tidy, AND have a 'satisfied' advisory state.
You can run your webserver on the VMs on different ports than 80 and 443. The load balancer can translate between port 80/443 on your public IP and whatever port you choose inside the VMs. Since Load Balancers are a fairly simple service, this is probably your only option.
As an alternative, you could try Application Gateway instead of your load balancer. It should act as the reverse proxy you need. Be aware that it is a bit more costly than the load balancer, but it also has a lot more features.
I see that your VM is behind an Azure LoadBalancer. So, the network flow might be similar to :
Then, your web server should not be public to the internet. It should only be accessible from the loadbalancer. You can set the source service tag to AzureLoadBalancer. For more information about service tags, you may check the official documentation: Service tags
Update:
By further researching, the AzureLoadBalancer service tag in NSG rule is used to allow Azure health probes. Actually, there is a default rule for allowing load balancer to probe to endpoints.
So, the suggestions are:
You should not assign public IPs to each instances. In this way, your backends can only be accessed by private IPs. In other words, clients can only access your web via load banlacer.
Add NSG inbound rules with 80 and 443 ports for web service. And 22 or 3389 port for remote management.
In this case, your servers should be secure now. If there are still any warnings, I think you may ignore them. The Azure system may just see that you opened 80 and 443 ports to public. However, your instances do not have public IP.
Hope the above would be helpful to you.

How to configure my Azure VM Endpoint ACL to allow connection from my Azure Webjob on the same portal

I have a WebJob on an Azure Website that needs to connect to a VM Endpoint to make REST calls.
My Endpoint is configured to deny all except my company's IP range. Now what rule would I need to add or url should I use so my webjob can connect to the endpoint?
I have tried the following without success:
Allow my website virtual IP address in the ACL
Connect to the endpoint using the internal IP instead of the DNS without changing
the ACL
Connect to the endpoint using the public virtual IP instead
of the DNS without changing the ACL
This works but is not what I am looking for:
Remove the current ACL and allow all
Keep the ACL but add a /16 rule with my website IP
Thank you for your help, and let me know if you need precision!
I need the same thing but it seems as though is not possible right now. Looking at this answer on a related question:
Azure Web Sites do not have dedicated outbound IP addresses for each
deployment. This precludes you from using ACLs or Virtual Networks to
connect to your Redis / Solr virtual machines.
So even though you can have a (reasonably) fixed incoming IP address on Azure Websites, the outgoing address is highly unpredictable and as far as I can see, the only exclusion that you could make was to restrict it to the entire range of IP addresses for that data centre which is far from ideal.
A solution moving forward will be to connect your Azure Website and the VM on the same Virtual Network. As of my writing this it is still in Preview so it still is not ready for production use just yet.
Here is more information on it: http://azure.microsoft.com/blog/2014/09/15/azure-websites-virtual-network-integration/

Resources