I have a question regarding IP Address in Google App Engine. I know there is no way to have a static IP-address, but my client have setup a Custom Domain with some IP-address showing up. My problem is:
There is an endpoint(API) that they are connected on, the problem is that the destination requires IP-address and PORT to open in their firewall-policy. Since there is no "Static IP" on Google App Engine, can i use those IP-address showing under "data" in Google App Engine in Custom Domains?
Because when i enter the domain in my web-browser i see the same IP listed in Custom Domain. Can i send over those IP-addresses than the Pool of IP by running: nslookup -q=TXT _cloud-netblocks.googleusercontent.com 8.8.8.8Because those domain listed in nslookup is not shown in the network (remote address)
Thanks!
The result of running nslookup -q=TXT _cloud-netblocks.googleusercontent.com 8.8.8.8 is not static. Google may introduce new _cloud-netblocks entries at any time.
In the Google Cloud documentation section Static IP Addresses and App Engine apps is the recommended approach to retrieve the IPs. You will have to run:
nslookup -q=TXT _cloud-netblocks.googleusercontent.com 8.8.8.8
And then, from the response , you'll have to query each of the _cloud-netblocksN listed. Let take this query response as an example:
Non-authoritative answer:
_cloud-netblocks.googleusercontent.com text = "v=spf1 include:_cloud-netblocks1.googleusercontent.com include:_cloud-netblocks2.googleusercontent.com include:_cloud-netblocks3.googleusercontent.com ?all
There's 3 _cloud-netblocksN listed, so you'll have to query them:
nslookup -q=TXT _cloud-netblocks1.googleusercontent.com 8.8.8.8
nslookup -q=TXT _cloud-netblocks2.googleusercontent.com 8.8.8.8
nslookup -q=TXT _cloud-netblocks3.googleusercontent.com 8.8.8.8
The SPF records returned from the query of each of those above entries will be IP ranges that you can use for App Engine.
The static IP address for AppEngine is now* possible using serverless NEG with Load Balancer.
See more on https://stackoverflow.com/a/62660953/4185100
Using this method, it is also possible to configure multiple domains/sub-domains with HTTPS load balancer which points to internal serverless resources (different AppEngine services, Cloud functions, etc)
Related
I read into this article:
How to properly configure VPC firewall for App Engine instances?
This was a huge help in getting the firewall setup in the first place - so for those who have found this and are struggling with that - follow along. https://cloud.google.com/appengine/docs/flexible/python/using-shared-vpc is a good reference, as there are some accounts that need permissions "added" to make the magic happen.
My issue - I have two containerized services running in AppEngine one default (website), one API. I've configured the API to run in a VPC/subnet separate from the default created one. I have not made any changes to the firewall settings directly hanging off the App Engine settings as those are global, and do not let you target a specific instance - and the website needs to remain public, while the API should require whitelisting access.
dispatch.yaml for configuring subdomain mapping
dispatch:
- url: "www.example.com/*"
service: default
- url: "api.example.com/*"
service: api
API yaml settings:
network:
name: projects/mycool-12345-project/global/networks/apis
subnetwork_name: apis
instance_tag: myapi
Create a VPC network
name - apis
subnet name - apis
creation mode - automatic
routing mode - regional
dns policy - none
max MTU - 1460
Add firewall rules
allow 130.211.0.0/22, 35.191.0.0/16 port 10402,8443 tag aef-instance priority 1000
deny 0.0.0.0/0 port 8443 tag myapi priority 900
allow 130.211.0.0/22, 35.191.0.0/16 port 8443 tag myapi priority 800
this works - but I cannot specify the "white list IP".
if I do the following and disable the "allow 130 / 35 networks 8443/800"
allow my.ip.number.ihave port 8443 tag myapi priority 800
it never trips this rule, it never recognizes my IP.
what change / how do you configure the firewall in the VPC so it receives the public IP. When I reviewed the logs, it said it denied my request because my IP address was 35.x.x.x.
I would recommend to contact GCP support in that case. If I'm not wrong, you can directly whitelist the IP addresses at App Engine level, but it's not a standard procedure
I tried using these guides:
https://cloud.google.com/dns/quickstart
https://cloud.google.com/dns/migrating
When I ping my domain, I get a response from my compute-engine external IP address, but my WebApp is not loading.
Am I missing something? I get ERR_CONNECTION_REFUSED
There is not enough information to definitely say what the issue is, but here are some suggestions to troubleshoot.
Have your registrar's name server records been updated?
Make sure the following consistently returns Google's name servers for your zone
$ dig +short NS example.com
Have Google's name server propagated the change?
List your Google name servers -
$ gcloud dns managed-zones describe examplezonename
Verify they have propagated -
$ dig example.com #your_zone_nameserver
Are your A and CNAME records set correctly?
Next you should verify that the DNS reply returns the correct A and CNAME entries.
$ dig example.com A
$ dig example.com CNAME
Have you configured your IP and Firewall settings correctly?
You can follow the troubleshooting guide here or update your question with more details.
It appears that your web server may not be set up correctly and there does not seem to be any process listening on either port 80 or 443.
$ nmap queguia.com
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-03 12:16 PDT
Nmap scan report for queguia.com (35.184.29.62)
Host is up (0.15s latency).
rDNS record for 35.184.29.62: 62.29.184.35.bc.googleusercontent.com
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
443/tcp closed https
3389/tcp closed ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 10.21 seconds
Caveats
Please also keep in mind that DNS entries are cached and it can take some time for your changes to take effect.
Pings of your external IP are most likely answered by a load balancer and not your instance specifically.
Google Enterprise Support:
All App Engine services run by default (domain.appspot.com). In order to map your service on your own domain name, please read the following article https://cloud.google.com/appengine/docs/standard/python/console/using-custom-domains-and-ssl
I have a couple of Centos 6 VMs that I am trying to setup. I assigned static IPs to them but when running ifconfig, I do not see the external IPs, just the internal IPs. Does Google not allow this capability?
In addition to what Anderson said, this is the command to query for the external IP from the instance itself:
curl "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip" -H "Metadata-Flavor: Google"
DHCP only supports requesting a single address. Google Compute Engine returns the internal IP address via DHCP, and maps the external assigned IP addresses to the VM using NAT.
If you want to fetch the assigned IP address from inside the VM, you could query the metadata server for that information.
I am using Solr 4.8.X and need help getting around https://issues.apache.org/jira/browse/SOLR-4470
(Basic HTTP auth for SolrCloud nodes)
Is there a way to white-list certain ip addresses in Jetty 8/Solr so that they do not require basic http authentication? I have setup an auth-constraint under security-constraint in webdefault.xml, but that affects all users irregardless of IP address.
I would like to set it up so that the IP addresses of other Solr nodes do not have to go through basic http authentication while every other ip address does.
Thanks!
I'm using Nginx as a proxy to filter requests for my AppEngine Java application. GAE's location services (X-AppEngine-country header) works great without the proxy, but now GAE is using the proxy server's IP as client IP, and the X-AppEngine-country header is quite useless - it returns "ZZ" as the country code.
I know that the header is determined by the client IP, as mentioned here:
"X-AppEngine-Country -
Country from which the request originated, as an ISO 3166-1 alpha-2 country code. App Engine determines this code from the client's IP address. "
The problem is that I don't know from what data this header is derived. I used Nginx modules to set the client IP in X-Forwarded-For, Remote_Addr and Http_Client_IP headers, but apparently the X-AppEngine-country header is derived from somewhere else.
How can I provide GAE the client IP so it can retrieve the correct country code from the original IP?
You already provided all the info needed for the answer: "..App Engine determines this code from the client's IP address". So they actually look at an IP from where the connection was made.
Since your proxy sits between the client and AppEngine, AppEngine sees connections coming from proxy IP. No way around it.