I'm building a shopping site which uses a service which allows credit card payments (tranzilla), the service is requiring an IP or IP mask from which it will allow requests (by sockets). The problem is that I'm using heroku as hosting, which is decentralized...
Is there any way to do this? (except buying the custom ssl add-on, which is my last resort and not the best solution)
P.S. full IP mask is not acceptable.
There is now a new Heroku add-on called Proximo that gives you a static outbound IP address to connect to services with IP whitelists! At this time it's in private beta, and there is no pricing info available yet, but it seems like a promising solution: https://devcenter.heroku.com/articles/proximo
Yes, you can use a hosted VPN service to maintain a static IP Address in which to contact tranzilla. A proxy server might also work, however, using a public proxy server would be a bad idea.
You can also use Apigee to wrap the API in question - http://app.apigee.com/, and make your API call through Apigee instead of directly to the API in question. Then enter the IP that the Apigee call comes from, and you're set.
Related
I am struggling to have a simple service acting as a reverse proxy in Azure.
I need it because the API that I want to communicate with uses IP whitelisting. That's why I want to set up a reverse proxy service with a static IP. My application (whose IP is cannot be static) would communicate with the target API via the reverse proxy.
With some research I found the following options:
Creating a Web App with some custom IIS config - I'm not sure if that's still valid, because the guides I found are pretty old
API Management - that seems pretty heavy and I've heard it's not going to be easy to configure
Application Gateway - that requires a VNet, which I do not even need.
Azure Function with Proxy - I think that option is no longer available with Functions V4. What's more, I would have to also set up NAT Gateway to have a single outbound IP. That seems overly complicated.
Creating a custom Web App with code that does the proxy logic
All these options seem to be too complicated for a simple task that I need. Basically, I want to have public reverse proxy, when I hit https://my-reverse-proxy.com/*, the proxy would return data from https://my-whitelisted-api.com/*.
Is there any easier alternative?
Most of the Azure services where you host your app has a single outbound ip or a range of outbound ip-addresses that can be whitelisted, but it's hard to know if that works in your case as you did not mention in what Azure service you host your app.
A generic solution could be that you provision an Nginx proxy in Azure Container Apps. Then you will will have the Container Apps Environment public ip address as outbound ip to whitelist. Beware though that anyone can call your proxy from any ip, which means that you are completely disabling the protection they put in place by whitelisting ips and opening up their API to the whole world. So without knowing your circumstances, this would probably not be recommended.
I am very new to Cloudflare. So please bear with me. I need to access my website (hosted in Microsoft Azure - App Services) via IP address instead of the domain name.
To do this, I need to add HOST=www.mydomain.com into the HTTP header when requesting the website via IP address.
I heard it can be solved via Cloudflare, but the person I asked will not elaborate further. Is it possible? If yes, what service should I purchase? Any manual or instruction will be appreciated.
If Cloudflare isn't possible, do you have any service recommendations?
Thanks :)
The reason the host header is needed is because Azure App Services are multi-tenant (multiple apps on a single IP) by default. So, the server needs some way to know where to route your request to (the host name). In addition, IPs are not guaranteed to be static (they can change as you scale for instance).
It should be possible to secure a single static IP address using the following method -
https://learn.microsoft.com/en-us/azure/app-service/overview-inbound-outbound-ips#get-a-static-inbound-ip
What is unclear is whether or not this IP would also be dedicated (meaning only your domain would use it). This is what would be required in order to allow you to access the app service without a hostname specified.
Cloudflare will not solve this issue, as it sits at the DNS layer (domain name access). Accessing a server via IP would bypass Cloudflare entirely.
Upon reading Azure documentation I still cannot figure out if we can design routing for our Express Route in the way described below.
We are planning to use one proxy server(with one public ip) for all O365 traffic. ( dedicated only for O365 ). Obviously, some of the O365 traffic can and should use ER, but some need to use internet (CDN, DNS, etc).
The goal is to announce proxy server ip toward ER as a /32 and toward internet as /22.
My concern is "assymetric routing" . Can this type of routing create the problem when Microsoft will send traffic to our proxy server via the ER while egress path from our AS lies via internet ?
PS. I am aware that some of the traffic should not be "proxied" or undergo DPI. Thats a security requirement.
You should not have any trouble with the configuration. Given that you are using 2 different address spaces/ CIDRs of Public IP's Provided by your ISP.
The /32 public IP will be advertised to Azure Microsoft Peering over the express route via BGP. Azure, on the other hand, Azure would advertise the Public IP's of the services that you are using. Which can be controlled via Route Filters. Note: The ASN and Public IP needs to be validated for the NAT.
Coming to the Asymmetric aspect that you are concerned about. The o365 services will not propagate the routes to other non-O365 services such as Storage/CDN/DNS.
That said, whatever is coming from the 22 CIDR will be serviced by the non-O355 service and will go over the internet.
The fear for asymmetry occurs when you are consuming the O365 services over the internet instead of consuming them over the express route. Then, there are chances of asymmetry.
Instance 1:
CIDR /22 advertised to Azure over express route and you accidentally consume the O-365 services over the internet. Since, within the O365 cloud the route is populated to use the express route, the return traffic from Azure will come over the ExR circuit. This would be labeled as asymmetric route.
I hope I have clarified your doubt about the architecture. Let me know if you have any further questions as you proceed with this configuration.
I want to block some IP addresses from accessing my website, which is hosted over IBM Bluemix with Node.js runtime.
However, I don't know how I can block the list of IP addresses there. The only solution I came up with is not configure on Bluemix but write it on my Node.js app, such like:
function(req, res) {
req.ip // use this property to diverge, depending on the user's IP address
}
However, I would like to get it done on Bluemix part, not on my node.js app. Is it feasible to do it?
For your information, this was not feasible in Heroku, another PaaS. Maybe is it feasible in AWS, IaaS, right?
Blocking specific IP addresses is not possible as part of your described scenario. This is related to any PaaS as they are dealing with apps and services, not the network infrastructure itself.
There are slightly more options when operating on Bluemix Dedicated or Bluemix Local. The Secure Gateway service has options for blacklisting IP addresses, but that feature is used to secure your on-prem resources, not the app.
I have two servers that provide a service to clients.
The client devices access the server through a DNS name. example.com
Now we generally use server1 (primary) but if server one becomes inaccessible, I want the DNS to change its resolving name to server 2 (secondary server)
How can I go about doing this, Is there a service that dyndns provides?
The only way I know to do it is to log into the DNS server and manually change the addresses that the dns resolves 2.
It sounds like you're looking to create an automated failover in the event of an outage. While this is a service that Dyn provides as an added service in the DynECT Managed DNS service (hit up sales#dyn.com for more info on that), you can also use the Dyn Updater API to push an IP update up to your Standard DNS account as well. It would be a matter of using a 3rd party monitoring solution to trigger the update in your code using their API, then using the Dyn Updater API to switch the IP.
http://dyn.com/support/developers/api/
Whether you want to spend the money on upgrading to DynECT Managed DNS or keep using your Standard DNS account, we can help you either way.
Good luck, and if you have any other questions, please do not hesitate to ask.
CL