如何防止公众访问Compute Engine外部IP地址? [英] How to prevent public access to Compute Engine External IP Address?

查看:84
本文介绍了如何防止公众访问Compute Engine外部IP地址?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我需要防止用户通过Compute Engine上的外部IP地址访问网站,他们应该只能通过域名(www.some-domain.com)访问网站,而不能通过IP地址本身访问网站.

I need to prevent users from accessing the site through the External IP Address on Compute Engine, they should can access site only via domain name (www.some-domain.com), not the IP Address itself.

让我们说该实例的Compute Engine的IP地址为A.A.A.A.我正在使用Load Balancer通过以下设置将其重定向到安全连接:

Let says the instance's IP Address of the Compute Engine is A.A.A.A. I am using Load Balancer to redirect it to secure connection, with these settings:

  • 前端
    • HTTP:B.B.B.B:80
    • HTTPS:B.B.B.B:443
    • Frontend
      • HTTP : B.B.B.B:80
      • HTTPS : B.B.B.B:443
      • 重定向到活动实例

      我将DNS(A)指向B.B.B.B.

      And I pointing the DNS (A) to B.B.B.B.

      现在,我可以访问 https://www.some-domain.com .但是问题是,我仍然可以通过A.A.A.A和B.B.B.B.访问该网站.

      Now, I am able to access https://www.some-domain.com. But the problem is, I still can access the site with A.A.A.A and B.B.B.B.

      这是我当前的防火墙配置:

      This is my current firewall configuration:

      如何防止这种情况?谢谢.

      How to prevent this? Thanks.

      推荐答案

      您的问题与配置Google Identity Aware Proxy非常相似,后者是Google Beyond Corp体系结构的一部分,并且为您的用户提供Google ID非常有效

      Your problem is very similar to configuring the Google Identity Aware Proxy, which is part of the Google Beyond Corp architecture and, providing your users have Google IDs is very effective.

      文档解释了设置IAP的过程,但它还有助于说明如何配置运动部件.您需要:

      The docs explain the process for setting up the IAP but it also helps explain how to configure the moving parts. You need to:

      1. 在您的DNS上将您的A记录设置到负载均衡器的公共前端
      2. 在GCE实例上配置防火墙规则,以不允许来自Internet的任何流量,而仅允许来自负载平衡器的流量.负载均衡器有一个有用的图形来显示规则.
      3. 配置您的负载均衡器后端,以将流量从前端引导到GCE实例.我通过Internet到LB有TLS,然后从LB到我的实例有HTTP,但是您不必

      然后,您的负载均衡器将使用HTTP/S流量,并使用您在配置它时设置的转发规则转发到后端.如果您尝试直接转到实例IP,则防火墙将阻止您,为了进行测试,您可以从客户端IP启用允许,然后您会看到没有标头

      Your load balancer will then take the HTTP/S traffic and forward to the back end using the forwarding rule that you set up when configuring it. If you try to go to the instance IP directly then the firewall will block you, for testing you can enable an allow from your client IP and then you will see that you don't get the headers

      这篇关于如何防止公众访问Compute Engine外部IP地址?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆