I have a rails application deployed on google app engine. I visit myapp.com/resque with a local redis server running and it works. When doing this in production, I cant seem to connect. I have a redis vm instance deployed on google compute engine and I cannot redis-cli -h 123.123.123:6379 into it on any of the servers. It only returns Could not connect to Redis at 11.111.11.1:6379: Connection refused. I've tried using both the internal and external IPs and no luck.
I had the same issue.
It was due to bind in redis conf. By default redis was binded to only 127.0.0.1
It's in redis.conf file
bind 127.0.0.1
As mentioned in redis security link its there so that only trusted clients are allowed to connect and by default its only localhost
Related
I have a sails js app running on App Engine and a Cloud SQL instance that App Engine is supposed to talk to. I am using the following configuration with Sails v1.0 app:
adapter: 'sails-mysql',
socketPath: `/cloudsql/${process.env.INSTANCE_CONNECTION_NAME}`,
user: process.env.SQL_USER,
password: process.env.SQL_PASSWORD,
database: 'parsley'
All of the env variables are passed correctly but I still get this error:
name=AdapterError, adapterMethodName=create, modelIdentity=admin, name=Exception, code=badConnection, exit=badConnection, errno=ECONNREFUSED, code=ECONNREFUSED
If you are testing the code using the Cloud Shell and using a Cloud SQL Proxy:
Start the Cloud SQL Proxy in a Cloud Shell tab and leave the tab opened
Open a new tab. Try to connect from App Engine to Cloud SQL.
As described here:
Your application communicates with the proxy with the standard
database protocol used by your database. The proxy uses a secure
tunnel to communicate with its companion process running on the
server.
If you don't leave the Cloud SQL Proxy running in a tab, the secure tunnel is not created and is not possible to access Cloud SQL.
There are other issues that can cause this problem but according to the research I did "googling" the error, this looks like the most common.
I have a dotnet core 2.0 application running in Google App Engine Flexible Environment. Within the same Google project I have a Cloud SQL - MySQL database. On the Cloud SQL Instance details page, under the Authorizations tab, it states
Apps in this project: All authorized.
However, I cannot access the database from my application unless I add the 0.0.0.0/0 route to the Authorized networks section.
What can I do to give my application db access without opening my database to the world?
Update 2018-05-21 from Jeffery Rennie (accepted answer)
App Engine now supports connecting to a Cloud SQL instance using a port number instead of a unix domain socket. So now, you can add something like this to your app.yaml:
beta_settings:
cloud_sql_instances: "your-project-id:us-central1:instance-name=tcp:5432"
And specify Host=cloudsql in your connection string in your appsettings.json:
"ConnectionString": "Uid=aspnetuser;Pwd=;Host=cloudsql;Database=visitors"
In the sample above, the port is 5432, which is the default port for a PostgreSQL database. For a MySQL database, use port 3306.
A full example with instructions for deploying to App Engine can be found here:
https://github.com/GoogleCloudPlatform/dotnet-docs-samples/tree/master/appengine/flexible/CloudSql
The ideal solution is to use a unix domain socket to connect from your app engine instance to Cloud SQL. That's how other programming languages like Python and PHP do it. Unfortunately, the MySQL connector does not work with domain sockets. I see no reason why it can't, but it doesn't. I hope they fix that issue soon.
As described in https://cloud.google.com/appengine/kb/#static-ip,
Note that using static IP address filtering is not considered a safe
and effective means of protection. For example, an attacker could set
up a malicious App Engine app which could share the same IP address
range as your application. Instead, we suggest that you take a defense
in depth approach using OAuth and Certs.
If certificates are not sufficient to protect your application, then the only remaining option I see today is to build a custom runtime that runs the Cloud SQL Proxy. The proxy can forward a local ip port number to a unix domain socket. If you have built a docker image or two, then it's not too bad.
I will update this answer as the situation improves.
Update 2018-05-21
App Engine now supports connecting to a Cloud SQL instance using a port number instead of a unix domain socket. So now, you can add something like this to your app.yaml:
beta_settings:
cloud_sql_instances: "your-project-id:us-central1:instance-name=tcp:5432"
And specify Host=cloudsql in your connection string in your appsettings.json:
"ConnectionString": "Uid=aspnetuser;Pwd=;Host=cloudsql;Database=visitors"
In the sample above, the port is 5432, which is the default port for a PostgreSQL database. For a MySQL database, use port 3306.
A full example with instructions for deploying to App Engine can be found here:
https://github.com/GoogleCloudPlatform/dotnet-docs-samples/tree/master/appengine/flexible/CloudSql
While you are not wrong that "apps in this this project: All authorized" seems to suggest you can out-of-the-box just use your App Engine app with Cloud SQL, but there are limitations.
First of all, your Cloud SQL needs to be a 2nd generation instance, and secondly, there are specific instructions that's dependent on the language you use and the App Engine type (standard or flex).
If your situation fit all the requirements, it should work.
For your specific use case, you need the .Net instructions, it does say you need to add a network with 0.0.0.0/0 access and an user account. The user authentication + SSL should provide the security you need.
We plan to use Appengine for our Node.JS REST-API which will serve content for our customers. The data will come from a MOngoDB Cluster (or Replicaset), which will also be hosted on Google Cloud Services. Some of the contents might be cached using the Memcache of AppEngine.
Now my question. Is it neccessary to setup a kind of VLAN or similar, to connect to the DB server? How can we assure that the DB server is connected with a good bandwidth / latency to the AppEngine instances? Or is this no matter of concern at all?
Another question, does Google Cloud have a kind of internal DNS, which can be used? So for example that we have a domainname like "ourmongodb.internal" which can be used in connection string of our REST API? Or how is the most recent approach to connect to our DB server instance?
If you use app engine flex you can setup your nodejs app engine server and the GCE VMs that run the mogoDB cluster in the same network and than connect them both in the internal IP space.
The current setup,
Google Compute Engine running Windows Server 2012 (GCE Server 2012)
Google Compute Engine running Debian Wheezy (GCE Server Wheezy)
GCE Server 2012 has one open port, tcp 3389 to GCE Server Wheezy
GCE Server Wheezy is running Guacamole with NLA enabled and Tomcat 7 and is working off x.x.x.x:8080/guacamole/
So I have, what I hope, is a secure connection between GCE Server 2012 and GCE Server Wheezy. Now I want to be able to access x.x.x.x:8080/guacamole/ securely, but the setup with SSL has been difficult.
What I want to know is if it's possible to access GCE Server Wheezy through Google App Engine, which already has great SSL protection. Essentially, I would like to be able to open one port and IP address (range) and/or some sort of internal connection between a GCE website and GAE, and then access everything through GAE. My assumption is that since traffic from GCE and GAE never leave Google's internal infrastructure and they are tied only to each other, this would be an easy and affordable way to add powerful SSL encryption to my Guacamole/Tomcat setup.
Alternative ideas to easily add SSL to my setup would also be greatly appreciated.
Setup the HTTP Load balancer and you're set in a few mouse clicks...
HTTP/HTTPS load balancing provides global load balancing for incoming
HTTP or HTTPS requests, allowing these requests to be sent to
different sets of backends based on patterns in the URL. HTTP requests
can be load balanced based on port 80 or port 8080. HTTPS requests can
be load balanced on port 443. HTTPS load balancing also supports SPDY
and HTTP/2. HTTP/HTTPS load balancing does not support WebSocket.
See https://cloud.google.com/compute/docs/load-balancing/http/
On Heroku it says that "Apps can connect to Heroku Postgres from Heroku, Google App Engine,...", but how is that possible if App Engine only allows http connections?
App Engine recently added support for Sockets, see:
https://developers.google.com/appengine/docs/python/sockets/
https://developers.google.com/appengine/docs/java/sockets/
Thus is should be possible to use either a pure-Python or pure-Java Postgres client to connect to a Postgres instance.