I have a NodeJs web application running on amazon EC2 server.
Now from this node app in EC2, I have to access a database system (SqlServer) which is in the customer's in house network which can be accessed only with a VPN. What are the possible ways to do this?
Note:
- In house db cannot be exposed to public
There are a three options:
1) Expose your database publicly, and connect from your app using a secure protocol (i.e. ssl). This is probably a horrible idea, but is possible.
2) Set up a VPN between AWS and the data center where the database lives. This is a quick, easy way to set up a hybrid architecture.
3) Set up Direct Connect between AWS and the data center. This can reduce latency, provide network sovereignty, and depending on the amount of traffic between the app and the db may actually be cheaper than option 2.
You can setup a VPN between the VPC and the customers network.
ref : https://aws.amazon.com/premiumsupport/knowledge-center/create-connection-vpc/
Related
Anyone has experience regarding Network Control?
Plan to rent a dedicate server. Does any hosting company providing any of these as part of their offer? (e.g. the dedicated server is protected by 1,2,3 by default)
Network segmentation
Virtual Private Cloud (VPC)
Network Access Control List (ACL)
If not, how can I implement this?
One of the hosting company I am looking at offers ASA 5505 Firewall, would this firewall implemented any of 1,2,3 above?
I plan to run the app in Docker, data is in Mysql DB. So my plan was to install firewall on the server block all ports except 80/443 and a random port used for ssh. And set the mysql port to a non standard port, and only allow local connection to the mysql db. Is this secure enough? Or I need to implement more such as 1,2,3 above?
thanks
Recently I have been considering using MongoDB Atlas for a deployment which is fairly heavy in the DB department and also on the Node.JS server side.
Whereas I am quite familiar with the normal NAT Gateway--> VPC layout on AWS, in all my research on Atlas I have been left terribly confused about some really important specifics.
I am incredibly confused as to how to implement a NodeJS server with MongoDB Atlas. If I set up my own NAT Gateway & VPC on AWS with all the servers, replicas, shards etc. then I know exactly where my entry point is, where my NodeJS server is on that zone and how to replicate etc. But if use this scenario then I lose all the comfort and time-saving which Atlas affords me, not to mention the headaches of scalability etc.
However, in all the Atlas documentation, I can only find how it sets up Atlas on a VPC. I cannot figure out, (maybe my brain cells are not working), where in all this configuration the Node server would go? Or can one set up a NAT Gateway and VPC and then place an Atlas controlled MongoDB setup behind it?
The architecture with Atlas has me confused. Where do you set up your servers so they are also secure? Do I need to create a second NAT Gateway and VPC just for my Node server app? If so do I require VPC peering?
If this is dumb, please excuse the question. But before I begin a setup which will cost the company a good deal of money, I need to be clear on exactly what the layout is.
Thanking all who can handle this question in advance as any and all pointers here would be greatly appreciated.
MongoDB Atlas
You can create a VPC Peering Connection from MongoDB Atlas VPC to a VPC in your AWS account where you have your NodeJS EC2 instances running. Check the documentation Introducing VPC Peering for MongoDB Atlas for more details.
Your Custom MongoDB Cluster
Setting up MongoDB with best practices will require creating public and private subnets in the VPC while placing the database cluster in the private subnet. It will also involve having a NAT server in the public subnet for the MongoDB cluster to forward egress traffic keeping it secure within the VPC.
Reference: AWS Quick Start for MongoDB
However this can be challenging if you are new to AWS. To simplify the work use a AWS Quick Start for AWS Quick Start for MongoDB which will create the required architecture with best practices.
After provisioning the MongoDB Cluster, you can provision a NodeJS Web Server using one of the following options,
Using Elastic Beanstalk to place the NodeJS Servers with AutoScaling and Load Balancing with Best Practices.
Setup an Application Load Balancer, AutoScaling Group and NodeJS EC2 instance Launch Configuration inside the VPC to manually.
Create a EC2 template (Newly introduced) with required configuration.
Manually setup a server inside the VPC.
Note: If you place your NodeJS Web Servers in Private Subnet, make sure you create a public load balancer and configure the subdomains where NodeJS We Servers are allowed for load balancer as well so that it can route traffic to any subnet where the automated provisioning places the NodeJS Web Servers.
We have a client who wants to connect their premises to Azure. Their main hindrance at this point is determining the best way to connect to Azure given their current connectivity configuration. They have two redundant ISP connections going to the head office for internet access. They want to be able to configure a VPN connection to Azure that would operate in a similar way i.e. if ISP A went down it would seamlessly use ISP B and vice versa. The normal multi-site VPN configuration does not fit this since there is one local network behind which means the network behind separate VPNs over each ISP would have overlapping IP address ranges which is not supported. Is such a configuration possible? (See diagram below)
Either that or is there a way to abstract the two ISP connections onto one VPN connection to Azure.
They’re currently considering using a Cisco ASA device to help with this. I’m not familiar with the features of this device so I cannot verify if it will solve their issue. I know there is also a Cisco ASAv appliance in the Azure marketplace don't know if that could also be a part of a possible solution if they went with such a device.
required vpn configuration
The Site-to-Site VPN capability in Azure does not allow for automatic failover between ISPs.
What you could do are the following
- Have automation task created that would re-create the local network and gateway connection upon failover. Manual and would take some RTO to get it up and running
- Use the Cisco CSRs to create a DMVPN mesh. You should be able to achieve the configuration you want using that option. You would use UDRs in Azure to ensure proper routing
I havent done it in Azure, but here is what you do in AWS (And I am sure there would be parallel in Azure)
Configure a "detached VGW" (virtual Private gateway) in aws. Use DMVPN cloud to connect CSRs to multi-site on-prem.
Also, for failover between ISPs you could have a look at DNS load balancing via a parallel to AWS's Route 53 in Azure.
Reference thread :
https://serverfault.com/questions/872700/vpc-transit-difference-between-detached-vgw-and-direct-ipsec-connection-csr100
We are looking at deploying an application on azure web sites and deploying a redis and solr clusters on sets of azure virtual machines. What is the best practise for restricting access so just my azure web site can access these boxes?
We store private information in the redis and solr cluster so cannot risk allowing other azure websites access to the redis and solr clusters so allowing the complete IP range of the azure data centres is a no go.
Azure Web Sites do not have dedicated outbound IP addresses for each deployment. This precludes you from using ACLs or Virtual Networks to connect to your Redis / Solr virtual machines.
While you can filter IP traffic entering a Virtual Machine via ACL, this will only work with Cloud Services (web/worker roles) and Virtual Machines. Likewise, you can add Cloud Services and Virtual Machines to a Virtual Network, allowing you to directly access your Redis/Solr instances.
As #Itamar mentioned in his answer, you can use IP filtering on the Redis/Solr instances themselves, via the OS or within Redis/Solr as supported. You can also use an SSL connection.
Don't know about solr, but if you want a secure connection to your Redis you should consider using a secure proxy such stunnel on the website and the Redis servers (see for example http://bencane.com/2014/02/18/sending-redis-traffic-through-an-ssl-tunnel-with-stunnel)... or, just use a Redis service provider that supports SSL (e.g. http://redislabs.com ;)).
How to create 2 connected virtual machines in Windows Azure to be able to deploy Two-Tier-Architecture solution ?
Let me clarify the scenario, Currently I am using 1 virtual machines in Windows Azure where I have the SQL Server 2008 DB installed AND the ASP.NET solution.
However, I want to create a very simple Two-Tier-Architecture where the SQL Server 2008 DB is installed on Server1, and the ASP.NET solution is deployed on Server2.
So, How to accomplish that? I mean, How to connected those two separate virtual machines? And how they can work together to run one single solution?
Could you please help me out in this scenario ?
Thanks !
Seems like a lot of attention being given to Virtual Networks. That's fine, but... if all you're trying to do is create a multi-tier app with a handful of VMs working in conjunction with each other, you can simply create multiple VMs within the same cloud service (that is, they all live in xyz.cloudapp.net).
They'll all sit behind a single public IP address, but consider your case where you have a web server and a database server:
Expose ports 80 and 443 specifically for the web server(s) (you can have multiple, and load-balance the ports across these VMs
Don't expose any public ports for the database server
Once deployed to the same cloud service, each VM in the cloud service can talk directly to any other VM in the cloud service, using the host name you assigned to it.
You can also deploy your web and database tiers to different cloud services, and still communicate between them without a Virtual Network. If you open, say, port 1433 on your database server, now your web tier can simply open a connection to yourdb.cloudapp.net:1433. Of course, this means the entire world can do the same, but... you can apply an endpoint ACL (access control list) on yourdb.cloudapp.net port 1433, and allow only the public VIP of your web tier's cloud service.
You'd need a Virtual Network if your web and database tiers are in separate cloud services and you don't want any exposed ports on your data tier, and you don't want to go through the built-in load balancer.
You should utilise Virtual Networking (http://www.windowsazure.com/en-us/services/virtual-network/). Additionally you can configure the two machines as part of a single Cloud Service to ensure they are encapsulated together and available publicly via a single cloudapp.net address. Note that to benefit from the Azure SLA you should run two instances of each tier (web / DB).
Note that you can't add an existing VM to a new Virtual Network.
You can create a virtual network and then add both servers in the same network if they are on different cloud services (which is the default when using quick create). But you can't do this to servers that have been created so you will need to detach your disks create 2 new servers in the new network and then reattach your disks to the new servers.
If you are planning on using a DC then create 2 subnets in your virtual network and put your DC in one and the servers in the other as you don't want your DC getting a different IP.