GCP:仅允许来自负载均衡器的公共入口 Web 流量
[英]GCP: Allowing Public Ingress Web Traffic from the Load Balancer ONLY
问题描述
Disclaimers: I come from AWS background but relatively very new to GCP.
免责声明:我来自 AWS 背景,但对 GCP 来说相对较新。 I know there are a number of existing similar questions (eg, here and here etc) but I still cannot get it work since the exact/detailed instructions are still missing.我知道有许多现有的类似问题(例如, here和here等)但我仍然无法使其工作,因为仍然缺少确切/详细的说明。 So please bear with me to ask this again.所以请耐心等待我再次问这个问题。
My simple design:我的简单设计:
Public HTTP/S Traffic (Ingress) >> GCP Load Balancer >> GCP Servers
GCP Load Balancer holds the SSL Cert. GCP 负载均衡器持有 SSL 证书。 And then it uses Port 80 for downstream connections to the Servers.然后它使用端口 80 进行下游连接到服务器。 Therefore, LB to the Servers are just HTTP.因此,LB 到服务器只是 HTTP。
My question:我的问题:
How do I prevent the incoming HTTP/S Public Traffic from reaching to the GCP Servers directly?如何防止传入的 HTTP/S公共流量直接到达 GCP 服务器? Instead, only allow the Load Balancer (as well as it's Healthcheck Traffic)?相反,只允许负载均衡器(以及它的健康检查流量)?
What I tried so far:到目前为止我尝试过的:
I went into Firewall Rules and removed the previously allowing rule of Ports 80/443 (Ingress Traffic) from 0.0.0.0/0 .我进入防火墙规则并从0.0.0.0/0删除了之前允许的端口 80/443(入口流量)规则。 And then, added (allowed) the External IP address of Load Balancer.然后,添加(允许)负载均衡器的外部 IP 地址。
At this point, I simply expected the Public Traffic should be rejected but the Load Balancer's.在这一点上,我只是希望公共流量应该被拒绝,但负载均衡器应该被拒绝。 But in reality, both seemed to be rejected.但实际上,两者似乎都被拒绝了。 Nothing reached the Servers anymore.没有任何东西到达服务器。 The Load Balancer's External IP wasn't seemed to be recognised.似乎无法识别负载平衡器的外部 IP。
Later I also noticed the "Healthchecks" were also not recognised anymore.后来我也注意到“健康检查”也不再被识别。 Therefore Healthchecks couldn't reach to Servers and then failed.因此健康检查无法到达服务器,然后失败。 Hence the Instances were dropped by Load Balancer.因此,负载均衡器删除了实例。
Please also note that: I cannot pursue the approach of simply removing the External IPs on the Servers.另请注意:我不能采用简单地删除服务器上的外部 IP 的方法。 (Although many people say this would work.) But we still want to maintain the direct SSH accesses to the Servers (by not using a Bastion Instance). (虽然很多人说这行得通。)但我们仍然希望保持对服务器的直接 SSH 访问(通过不使用堡垒实例)。 Therefore I still need the External IPs, on each and every Web Servers.因此,我仍然需要每个 Web 服务器上的外部 IP。
Any clear (and kind) instructions will be very much appreciated.任何明确(和善意)的指示将不胜感激。 Thank you all.谢谢你们。
1 个解决方案
解决方案1
1 已采纳 2020-02-19 08:24:37
You're able to setup HTTPS connectivity between your load balancer and your back-end servers while using HTTP(S) load balancer .您可以在使用HTTP(S) 负载平衡器时在负载平衡器和后端服务器之间设置 HTTPS 连接。 To achieve this goal you should install HTTPS certificates on your back-end servers and configure web-servers to use them.为了实现这个目标,你应该在你的后端服务器上安装 HTTPS 证书并配置网络服务器来使用它们。 If you decided to completely switch to HTTPS and disable HTTP on your back-end servers you should switch your health check from HTTP to HTTPS also.如果您决定完全切换到 HTTPS 并在后端服务器上禁用 HTTP,您也应该将健康检查从 HTTP 切换到 HTTPS。
To make health check working again after removing default firewall rule that allow connection from 0.0.0.0/0 to ports 80 and 443 you need to whitelist subnets 35.191.0.0/16 and 130.211.0.0/22 which are source IP ranges for health checks.要在删除允许从0.0.0.0/0连接到端口 80 和 443 的默认防火墙规则后再次进行健康检查,您需要将子网35.191.0.0/16和130.211.0.0/22列入白名单,这些子网是健康检查的源 IP 范围。 You can find step by step instructions how to do it in the documentation .您可以在文档中找到如何操作的分步说明。 After that, access to your web servers still be restricted but your load balancer will be able to use health check and serve your customers.之后,对您的 Web 服务器的访问仍然受到限制,但您的负载均衡器将能够使用健康检查并为您的客户提供服务。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.