How to restrict public access to CF load balancer in AWS
63 views
Skip to first unread message
王小锋
Mar 31, 2015, 4:46:44 AM3/31/15
to bosh...@cloudfoundry.org
Hi, there
I am using bosh to setup cloudfoundry in AWS, the default configuration is that the load balancer cfrouter could be accessed anywhere from internet.
From security consideration, I'd like to restrict public access to cfrouter load balancer, there is a web security group attached to the load balancer defined as below:
I tried to modify the web security group and change the 0.0.0.0/0 to my internal ip address, hoping that it could only be accessed from my internal ip address. in addition, I also add 10.10.0.0/16 which is the private ip address holding cf deployment. After modification, it looks like:
But when I tried to use cf to list the apps which works before the modification, it failed with following error, I am wondering what security group should I set to restrict public access, your help is greatly appreciated!!
paas1@paas1-OptiPlex-9020:~$ cf apps
VERSION:
BUILT_FROM_SOURCE
Getting apps in org test / space test as test...
REQUEST: [2015-03-31T16:30:13+08:00]
GET /v2/spaces/190be31c-e006-4478-aa66-ec1b31ccc9ab/summary HTTP/1.1
Host: api.abc.com
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]
Content-Type: application/json
User-Agent: go-cli BUILT_FROM_SOURCE / linux
RESPONSE: [2015-03-31T16:31:14+08:00]
HTTP/1.1 504 GATEWAY_TIMEOUT
Connection: keep-alive
FAILED
Server error, status code: 504, error code: 0, message:
FAILED
Server error, status code: 504, error code: 0, message:
I am using bosh to setup cloudfoundry in AWS, the default configuration is that the load balancer cfrouter could be accessed anywhere from internet.
From security consideration, I'd like to restrict public access to cfrouter load balancer, there is a web security group attached to the load balancer defined as below:
HTTP (80) | TCP (6) | 80 | |
HTTPS (443) | TCP (6) | 443 | |
Custom TCP Rule | TCP (6) | 4443 |
I tried to modify the web security group and change the 0.0.0.0/0 to my internal ip address, hoping that it could only be accessed from my internal ip address. in addition, I also add 10.10.0.0/16 which is the private ip address holding cf deployment. After modification, it looks like:
HTTP (80) | TCP (6) | 80 | |
HTTPS (443) | TCP (6) | 443 | |
Custom TCP Rule | TCP (6) | 4443 |
HTTP (80) | TCP (6) | 80 | xx.xx.xx.xx/32 |
HTTPS (443) | TCP (6) | 443 | xx.xx.xx.xx/32 |
Custom TCP Rule | TCP (6) | 4443 | xx.xx.xx.xx/32 |
But when I tried to use cf to list the apps which works before the modification, it failed with following error, I am wondering what security group should I set to restrict public access, your help is greatly appreciated!!
paas1@paas1-OptiPlex-9020:~$ cf apps
VERSION:
BUILT_FROM_SOURCE
Getting apps in org test / space test as test...
REQUEST: [2015-03-31T16:30:13+08:00]
GET /v2/spaces/190be31c-e006-4478-aa66-ec1b31ccc9ab/summary HTTP/1.1
Host: api.abc.com
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]
Content-Type: application/json
User-Agent: go-cli BUILT_FROM_SOURCE / linux
RESPONSE: [2015-03-31T16:31:14+08:00]
HTTP/1.1 504 GATEWAY_TIMEOUT
Connection: keep-alive
FAILED
Server error, status code: 504, error code: 0, message:
FAILED
Server error, status code: 504, error code: 0, message:
James Bayer
Mar 31, 2015, 11:15:51 AM3/31/15
to bosh...@cloudfoundry.org
typically in this scenario we'd advise the use an ELB accessible to the internet with 80, 443, 4443 (for loggregator) with appropriate configuration for forwarding requests to the IPs of the CF Routers as a backend for the ELB. the CF Routers themselves would not be internet accessible directly and would be in the VPC.
To unsubscribe from this group and stop receiving emails from it, send an email to bosh-dev+u...@cloudfoundry.org.
Thank you,
James Bayer
王小锋
Mar 31, 2015, 9:18:25 PM3/31/15
to bosh...@cloudfoundry.org
Thanks James
For each application that need public access, I will create a new load balancer which can be accessed publicly.
For cfrouter load balancer, I am considering to restrict the public access, because everyone can use cf command line to connect to the cloudfoundry environment, which might bring security threat. any suggestions? I am curious why the security group I configured won't work. thanks.
For each application that need public access, I will create a new load balancer which can be accessed publicly.
For cfrouter load balancer, I am considering to restrict the public access, because everyone can use cf command line to connect to the cloudfoundry environment, which might bring security threat. any suggestions? I am curious why the security group I configured won't work. thanks.
王小锋
Mar 31, 2015, 9:46:28 PM3/31/15
to bosh...@cloudfoundry.org
After adding the cf_nat_box ip address to the security group, it works :)
Dr Nic Williams
Mar 31, 2015, 10:20:18 PM3/31/15
to bosh...@cloudfoundry.org
Perhaps a model like https://blog.starkandwayne.com/2014/10/31/public-and-private-microservices-on-the-same-cloud-foundry/ could be used to restrict access to the system domains too
Reply all
Reply to author
Forward
0 new messages