I'm building an AWS Lambda function that pulls info from the Google Calendar API using Node.js. The Node application then sends an html response to a third party application. I'm basically following this guide from google, except I'm sending the html somewhere else to be rendered. I keep running into an error where Google tells me I haven't whitelisted the javascript origin coming from Lambda. Here's the error text:
{error: "idpiframe_initialization_failed", details: ""Not a valid origin for the client: https://<Lambda URL>.execute-api.us-west-2.amazonaws.com has not been whitelisted for client ID <My_Google_API_Client_Id>.apps.googleusercontent.com. Please go to https://console.developers.google.com/ and whitelist this origin for your project's client ID."}
I've gone into the Google API developer console and whitelisted that URL, but I'm still getting that error. Here's a screenshot.
I've tried whitelisting "us-west-2.amazonaws.com" as well with no luck. Thanks!!
You'll need to whitelist Lambda's IP addresses, you can't whitelist based on domain name. You can view the current list of IP addresses here: https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
You note your request is coming from us-west-2 so you could whitelist the IPs from that region only by looking for entries matching that region. 122 by my count so thats a pretty big job!
Otherwise, you could look at setting up a NAT within a VPC and using a IP against that to whitelist that sole IP?
White list AWS Lambda functions' subnet NAT gateway elastic IP address. Follow the article.
Related
Randomly without any warning a request to be routed to a backend process returns a 503 error. After looking into it it looks like a "DNSNameNotResolved" get returned when forwarding the request.
I tried looking around but could not find out why this happens. The appears to be no problems when routing to the backend. I also can't find the request on the Backend at all. The backend is an Azure API-M service.
When one machine has to connect to another machine, it has to perform
DNS name resolution.
The Error indicates that APIM wasn't able to convert the hostname of the backend (e.g. contoso.azurewebsites.com) to an IP address and couldn't connect to it.
The most frequent cause for this error is using an incorrect hostname while setting up the API configuration
Refer the common network configuration issues on APIM
:https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet#-common-network-configuration-issues
You may try by DNS resolution by refering : https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway#set-up-custom-domain-names-in-api-management
Along with the DNS configuration
:https://learn.microsoft.com/en-us/azure/api-management/configure-custom-domain#dns-configuration
Also check if the Public IP address of APIM service is unchanged
:https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-ip-addresses#changes-to-the-ip-addresses
Other References:
Tutorial to add custom domain to your front door-
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain
Troubleshoot Azure Front Door configuration problems- https://learn.microsoft.com/en-us/azure/frontdoor/front-door-troubleshoot-routing
So according to Microsoft, the TTL on the DNS records on Front-Door is really short and thus it is very DNS aggressive, this falls within the 99.9% uptime. When this falls within the said uptime they will look into adjustments for Front-Door.
I have one azure function which call clients api.
Client want a azure function ip address to whitelist them in there api network so that my azure function can access there api.
I tried to give them all Outbound Ip Address I can get from azure function properties but i can see everytime im getting all new ip address.
How to get all possible ip address which i can give client to whitelist pls advice.
For production im using App Service Plan (S1: 1)
You can do this. There are different possibilities depending on the pricing tier. From not possible at all, to possible but may change, to possible and guaranteed that IP address will not change.
The bad news is that, possible and guaranteed that IP address will not change, requires using the isolated tier.
See: https://learn.microsoft.com/en-us/azure/azure-functions/ip-addresses#dedicated-ip-addresses
I suggest you look into using service tags: https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags
/MMT
I have a NodeJS Rest API that is deployed on AWS throught Serverless, which automatically creates a Lambda function and a API on API Gateway for me.
Every time I try to make a HTTPS request to any external APIs, I get an error from API Gateway (502 - Internal Server Error), even thought everything works fine when I'm testing in my local PC. And the error only happens if I call the route that makes the external request, so I'm sure that's the problem.
I've already activated API Gateway logs with Cloudwatch (following this post), but the only important log I get is Endpoint response body before transformations: {"errorMessage":"2020-10-21T18:34:14.038Z 4cf0e078-fec9-4b9c-a199-26216a3951aa Task timed out after 6.01 seconds"} (complete logs in that image). The Lambda logs are less detailed, but here they are.
I also have set up a VPC and a Security Group for my Lambda function. My Security Group already alows all trafic for both inbound and outbound rules. My VPC may be the problem, since I don't understand very much about subnets and the configurations I got there. These are my Lambda VPC configurations.
Can someone tell me what's the problem? I'm available to add any more information that you may want/need.
--------- Edit 1:
I tried to follow the steps of this post, but it didn't work. Let me explain everything I did:
First of all, I created a NAT Gateway to my VPC and a new Route Table with the 0.0.0.0/0 destination routed to this NAT Gateway. Then I created a Public Subnet, assigned the new Route Table to it and turned on the Enable auto-assign public IPv4 address option. Finally, I assigned this new Public Subnet to my Lambda function, but the error was still there. I also tried to remove the Public Subnet from the Lambda function, 'cause someone said it would work on the post, but it still didn't work.
The only thing I couldn't do was to set my new Public Subnet as a default subnet. I don't know if it was a core thing to do and if it only didn't work because of that.
Am I forgetting something?
I just solved it.
I kept searching on the internet for possible solutions and I found this link that has a video on the right corner (right there) with the perfect tutorial.
The problem was that I only had Subnets connected to a Internet Gateway and no Subnets to a NAT Gateway, like #MarkB said. But I tried to solve it by changing my only 3 Private Subnets, that were assigned to both Lambda and RDS, to connect only with the NAT Gateway and ended up removing the Internet Gateway assignment from my RDS's.
I decided to create 3 new Private Subnets ONLY for my Lambda Functions, those connected to the NAT Gateway, and 1 Public Subnet, connected to the Internet Gateway. The previous Subnets that I already had were intact in the end, and it fits just well.
I have an .Net Core app published on Azure, the webapp has an endpoint that is publicly accesible.
When creating an HTTP POST request using the full url {azure-url}/results it works as expected. However a client needs to use this endpoint but his system transforms urls into IP addresses before creating a request (not sure why to be honest).
I've checked through Azure properties which is the IP address of the webapp which also matches when doing a nslookup. Problem is that when I replace the url with the IP address and make a request it returns 404.
Has anyone experienced something like this? I wonder if it's related to some Azure configuration I'm not aware of.
Azure App Service is a multi-tenant service. Meaning that other apps may share the same servers and thus the same inbound IPs. In order for your request to be routed properly to your app, it needs the domain name, not just the IP.
There is a way to get a static inbound IP by using a custom domain. I haven't tried that but I would assume even then you will not be able to call the service on that IP.
I am trying to whitelist an IP address for my Google App Engine, I am currently using express-ipfilter for whitelisting selected Ip's, but the thing is, it is not working as from whichever IP I will hit, my API express-ipfilter is always showing
Access denied to IP address: 172.XX.X.X
There is also a firewall-rules section in App Engine but there is no option for providing the URL for the API which I am doing whitelisting?
I think this error is coming because as App Engine uses Nginx Behind the Web Server, also Ip Address coming is (172.XX.X.X)(Which means Ip is Public to Google Cloud).
Is there any inbuilt Google App Engine feature for whitelisting, or why my express-ipfilter is not working. Can anyone Please help me.
Thanks
Actually, the thing is In App Engine requests does not comes directly to App Engine therefore in order to see the IP of the client we have to look for req.get("X-Forwarded-For") Header field, it is an array of Ip's so we have to check the first IP which is the client IP and if that matches the desired IP then we can do our work.
See the documentation here nodejs/reference/request-headers