Ingress filtering from an external cloud service to the internal network
NANOG, We have a hybrid cloud model that includes an external cloud service that needs to reach back into our internal network. The application documentation states that this connection cannot go through a proxy server. I am not in a position to redesign this solution or change the parameters. My question to NANOG is how to manage (filter/secure) the ingress traffic from the external cloud service. Past network guy managed inbound firewall rules based on the cloud-providers source IP address, but this wasn't sustainable and led to multiple outages as the external (source) IP has changed from time to time. I can define the destination ports well enough, but not the source IP addresses. Any ideas on how I can filter this type of inbound traffic from an internet-based service? Thanks Matt
Is it possible for you to get a private/direct connect service from your network perimeter to the cloud provider and eliminate using the public connectivity? Or because its Internet-based you have to use public connectivity? James W. Breeden Managing Partner Arenal Group: Arenal Consulting Group | Acilis Telecom | Pines Media PO Box 1063 | Smithville, TX 78957 Email: james@arenalgroup.co | office 512.360.0000 | www.arenalgroup.co -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Torres, Matt Sent: Thursday, May 4, 2017 7:47 AM To: nanog@nanog.org Subject: Ingress filtering from an external cloud service to the internal network NANOG, We have a hybrid cloud model that includes an external cloud service that needs to reach back into our internal network. The application documentation states that this connection cannot go through a proxy server. I am not in a position to redesign this solution or change the parameters. My question to NANOG is how to manage (filter/secure) the ingress traffic from the external cloud service. Past network guy managed inbound firewall rules based on the cloud-providers source IP address, but this wasn't sustainable and led to multiple outages as the external (source) IP has changed from time to time. I can define the destination ports well enough, but not the source IP addresses. Any ideas on how I can filter this type of inbound traffic from an internet-based service? Thanks Matt
Unfortunately, a private connection or VPN to the cloud service provider is not available right now, but I can see how that could help solve my problem. :-) ~Matt
Is it possible for you to get a private/direct connect service from your network perimeter to the cloud provider and eliminate using the public connectivity?
Or because its Internet-based you have to use public connectivity?
Since you can't change the design you may not be able to put some kind of overlay solution in place, which is just a fancy way of saying a VPN solution. What if you look at it in a different way and put some kind of endpoint security cloud solution like Illumio. But if you at least had the freedom to put something like this: http://www.sproute.com/span in place or 20 other similar solutions. As in you do VPN, but right from the cloud instance itself or another instance. There is also a set of various solutions that do specialized metadata like Cilium, but they get into container networking and that is definitely application redesign. On Thu, May 4, 2017 at 1:08 PM, Torres, Matt <matt.torres@state.or.us> wrote:
Unfortunately, a private connection or VPN to the cloud service provider is not available right now, but I can see how that could help solve my problem. :-) ~Matt
Is it possible for you to get a private/direct connect service from your network perimeter to the cloud provider and eliminate using the public connectivity?
Or because its Internet-based you have to use public connectivity?
NANOG, Thank you all. I have more than enough research to do now to further learn about everyone’s suggestions. ~Matt
But if you at least had the freedom to put something like this:
in place or 20 other similar solutions. As in you do VPN, but right from the cloud instance itself or >another instance. There is also a set of various solutions that do specialized metadata like Cilium, but >they get into container networking and that is definitely application redesign.
You can usually run OpenVPN from a cloud host. The source IP changing possibly should require only one open exception to the local VPN termination point. Better, find a cloud that doesn't do that shit with changing endpoints and gives you real VPNs. What sort of cloud doesn't these days?...?... Sent from my iPhone
On May 4, 2017, at 10:08 AM, Torres, Matt <matt.torres@state.or.us> wrote:
Unfortunately, a private connection or VPN to the cloud service provider is not available right now, but I can see how that could help solve my problem. :-) ~Matt
Is it possible for you to get a private/direct connect service from your network perimeter to the cloud provider and eliminate using the public connectivity?
Or because its Internet-based you have to use public connectivity?
I just read an article about these people. They are even more interesting than Illumio or these other VPN solutions. The important part is that you get to stitch tunnels together on some other host, so the changing IP of endpoints is irrelevant. http://zentera.net/ On Fri, May 5, 2017 at 11:13 AM, George William Herbert < george.herbert@gmail.com> wrote:
You can usually run OpenVPN from a cloud host. The source IP changing possibly should require only one open exception to the local VPN termination point.
Better, find a cloud that doesn't do that shit with changing endpoints and gives you real VPNs. What sort of cloud doesn't these days?...?...
Sent from my iPhone
On May 4, 2017, at 10:08 AM, Torres, Matt <matt.torres@state.or.us> wrote:
Unfortunately, a private connection or VPN to the cloud service provider is not available right now, but I can see how that could help solve my problem. :-) ~Matt
Is it possible for you to get a private/direct connect service from your network perimeter to the cloud provider and eliminate using the public connectivity?
Or because its Internet-based you have to use public connectivity?
According to my application guy, this is true of the Microsoft O365 hybrid solution. It requires direct inbound connections on various ports from largely undefined IP space. I imagine the private VPN limitation (i.e., not having a VPN) is on our side and MS provides something like this...
Better, find a cloud that doesn't do that shit with changing endpoints and gives you real VPNs. What sort of >cloud doesn't these days?...?...
participants (4)
-
George William Herbert
-
James Breeden
-
Torres, Matt
-
Yan Filyurin