Especially if people work remotely, you will end up whitelisting a lot of IPs, that change frequently.
It doesn’t scale well if you do not have a VPN (which can be overkill in some contexts, or too expensive) or access to a shared network (which is less and less the case with the development of remote working).Yet, there are at least 2 problems with IP whitelisting: SSH keys should stop an unauthorized user, but his access will be checked only on the bastion itself. This may include requests from unauthorized users. One may say that HTTPs LBs can be protected by CloudArmor WAF, and that we can limit connections to the bastion with SSH keys-based authentication.īut, even if Cloud Armor WAF (Web Application Firewall) rules can detect some malicious requests, for example, it will let pass all the requests that appear to be normal. The only way we can do that with a setup like the ones above, is with source IP whitelisting. I.e., if you cannot even touch the door, you will never be able to open it. A good way to do that is to prevent this user to access it in the first place. Now, let’s say we want to prevent an unauthorized user from connecting to the bastion or the API. For an HTTP API, you will have to make it accessible on its 80/443 port, once again either directly or through à Load Balancer.
0 kommentar(er)
