Is there any way to send and primarily receive Mutual TLS authenticated requests with custom certificate in Google Cloud Platform?
I would need to receive and authorize requests from a simple custom IoT device with a Mutual TLS client certificate on the device. As it is a simple use case, I do not mind using any kind of cloud environment or language, I just need it to be on the GCP with access to my Firestore.
Thanks.
I can imagine GCP Compute engine machine with installed server, which support mutual TLS (Nginx, Apache). Eventually, you can implement mutual TLS in your app, which will be running on that machine. You can implement/use mutual TLS if you have access to TCP stack (that is not probably case for Functions and App engine, where is probably TLS offloading).
This aswer states that Google Cloud Endpoints (or actually ESP) supports mTLS, which is understandable because it's nginx-based. Also ESPv2 seems to support mTLS. I'm looking myself into using one of these options.
Related
I couldn't connect my iot device to azure iot hub to register device.
I saw some example in node.js and c# sharp client sdk. But I couldn't find for c sdk. Is it possible register device (obtain credential) from client side?
How can I connect my device to iot hub?
I tried to use this code:
https://github.com/Azure/azure-iot-sdk-c/blob/master/iothub_client/samples/iothub_client_sample_mqtt/iothub_client_sample_mqtt.c
Also I used this article for help: https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-device-sdk-c-intro
Very important: you don't want a device to create a new identity on its own in IoT Hub as that would mean that the device has credentials to manage the IoT Hub instance. This is a considerable security risk.
This is one of the main reason why we have 2 types of SDKs: service client SDKs and device client SDKs.
The service client SDKs are meant to be used in back-end applications that will manage the Hub, while the device client SDKs are meant to be used on devices. This allows to keep control of your IoT solution and prevent a rogue compromised device to start messing around with the other devices or your data.
You can actually find a C service client SDK in the C SDK repo under the folder "service" if you want to develop a back-end or management application in C.
Now, all that said, what it seems you are actually looking for is for a secure auto-registration mechanism, which is something we don't have yet on Azure IoT Hub. You can actually vote this feature up on uservoice here, as we are using this to help prioritize the upcoming features of the service.
goal: make my google cloud app ssl
used a prebuilt solution to launch an instance on google's compute engine. i need to upload ssl cert to accept credit cards & more or less do anything. i cannot find a ui or any way to ssl my app/domain with compute engine.
google's app engine has a ui to upload certs but no way to launch prebuilt solutions or transfer apps from compute engine.
also, of course, the domain is registered using google domains and the app is registered to google cloud platform under same account.
thanks -- matt
You can setup an HTTPS Load Balancer in front of your GCE instances and install an SSL certificate and key there.
https://cloud.google.com/compute/docs/load-balancing/http/
A solution which is built for Google Compute Engine likely won't work as-is on Google App Engine (App Etfite expects that you supply code written as a set of HTTP request handlers, but does not support background tasks, running your own database, etc). Since you're already fairly happy with the pre-built solution you installed, it probably makes more sense to customize that rather than replace your solution with one running on App Engine.
You have two options for getting SSL running:
You could use Layer 3 load-balancing, and install and configure the SSL certificates on your server hosts. For example, you could get a certificate from Let's Encrypt, and use their tool to install the cert if you're running nginx or apache. For other software, you'd need to install the cert manually. This is probably the most portable (to other clouds/local machine) solution, but requires that you secure your SSL certs and maintain that software.
You could create a SslCertificate resource and attach it a Layer-7 load balancer provided by Compute Engine (TargetHttpsProxy). To do this, you would set up HTTP load balancing after uploading your public and private certificate to Google. This solution can take advantage of Google's caching and scaling infrastructure and can support health checks to verify that your application is up, but the details will vary more across different service providers.
I want my AppEngine site to connect to one of my instances (Google Compute Engine ) in order to get some data from a local redis server.
How can I do that?
It seems there's no way to get a connection between AppEngine and Compute Engine within the same account/project...
Thanks!
The answer depends on what protocol your Compute Engine instance accepts :
If it accepts HTTP(S) requests, then you can use the URLFetch service to perform HTTP calls as usual. But your instance must be exposed on the internet (public IP address).
If it does not accept HTTP(S) calls, like Redis, then you will need to use the Sockets API to make outbound calls from App Engine to Compute Engine. Note that this API is in Beta.
Then there's the question of how to secure the Compute Engine instance. You cannot use an IP filter because Google won't tell you what IP your App Engine instances have.
For HTTP(S) calls, one option is to use OAuth2. App Engine instances have an OAuth2 identity embedded in the Identity service, so it is easy to generate OAuth tokens that reliably identity the App Engine instance.
For other types of protocol (MySQL, Redis, others) you will need to rely on the security provided by whatever you're running on the Compute Engine instance. For example in Redis you can require a password to access your server.
I'd like to put a Redis server on Google Compute Engine and speak to it via AppEngine's socket support. The only problem is that there doesn't seem to be a specific firewall rule that says "this AppEngine application can access this host/port and no other".
There are some rules at instance setup time that describe whether the instance has access to task queues, etc, but not the inverse.
So my question is: how can I restrict port access to a Redis service only to a single AppEngine application?
In short you can not. AppEngine is a shared IP space with all the other apps, just like shared hosting. You need to use application level authentication such as OAuth to get the proper restrictions in place.
I've been investigating what I can do with Google's Secure Data Connector and App Engine.
Is it possible, from an App Engine application, to grab resources inside my corporate intranet without using HTTP(S)?
From what I read in the documentation, the only way to request resources through SDC is by using url_fetch, which is limited to HTTP, right?
You are right that app engine does not let you to other hosts or use sockets directly except through its URLFetch API which is limited to HTTP. However, you are not stuck to traditional ports - you can use it to access ports 80-90, 440-450, and 1024-65535 (as of GAE v1.3.2).
It doesn't seem like this restriction should matter much if you are planning on using SDC - the SDC FAQ seems to indicate that it uses HTTP/HTTPS to connect to resources on your intranet anyway.