Galaxy: How to determine IP address of galaxy server


#1

I’m using Galaxy and loving it.

We connect an API which requires that provide them our IP to whitelist.

We cannot provide the URL as the request is sent from the server.

So far, I’ve found our app running on 3 different IPs, each pointing to the EC2 region eu-west-1.

Is there a way to get a complete list of the static IPs of where our containers might run?


Whitelist IP for Meteor Galaxy from Mongo Atlas
#2

I know for incoming connections, you can use

dig +short galaxy-ingress.meteor.com

to get a list of Galaxy’s current load balancer IP’s. For outgoing connections however, things are likely more difficult. It depends on how MDG has their internal routing setup, so you’ll likely want to open a Galaxy support ticket through the Galaxy admin to find out.


#3

There is a way! Galaxy currently runs on AWS US-East-1 and AWS EU-West-1 and you can poll Amazon to find all the IP addresses your app might run on.

https://ip-ranges.amazonaws.com/ip-ranges.json *

See documentation here: http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html

  • Note that Amazon states: “you can expect it to change several times per week and should poll accordingly.”

#4

Thanks @hwillson @danahmadi

It’s kinda funny, but since autoscaling etc. you don’t actually know what IP your end servers are running on.

@danahmadi we set up a test where we’d POST to another server and have that server return the IP. Over a number of tests, we got 3 IP addresses (all eu-west-1), none of which are contained in the list amazon provides.

Our partner is required to whitelist specific IPs due to regulation. Our current solution is to write another Meteor app and host it on AWS with a static IP.

Kinda sucks. I’d welcome other suggestions.


#5

@danahmadi I’m in a similar situation with this. I would like to use Mongo DB Atlas with it’s IP white listing feature. It only supports up to 20 CIDR/IP addresses and can’t be adjusted programatically, which makes polling of the AWS JSON document a no go. Further to this, I don’t want to open my Mongo DB cluster to the whole Internet as that’s not good for security, nor is opening up access to an entire AWS region.

I’ve not used Compose.io at all, but I guess this would have the same issue as Atlas in this respect.

I understand we have a username/password as a layer of protection - but multi-layered security (especially for the database) is extremely important in the present cyber security landscape.

Can MDG offer any alternative solutions so we don’t have to compromise on Mongo DB security when hosting our apps on Galaxy?

Many Thanks.


#6

Have you thought about contacting the actual company who provides the API, or telling the community which API it is?

There may be a way, through the use of a secret key, to attain a similar effect to whitelisting the IP.


#7

It really depends on the company.

The one we were using requires that the IPs are whitelisted and they won’t budge.

Our solution was to route requests through an EC2 machine with a static IP.

This is far from being a good solution as it increases deployment complexity and doesn’t scale well.


#8

Has anyone got any idea of how to make a Google Api key for server work in production ? Dynamic whitelisting will be such a pain to code when I just want to send some push notifications to cordova clients. And it seems keys need to be restricted to work :frowning:


#9

@mcoenca there is no solution with Galaxy / Meteor.

Solution 1: Host part of your app elsewhere (TESTED)

Create a microservice app using meteor or another framework. Make calls like this:

Main app -> microservice -> API -> microservice -> Main app

Host this on AWS to give yourself a static IP.

It’s a bitch. Maybe something like this could work

Solution 2: Something with NATs (UNTESTED)

Apparently the ‘correct’ way to do this with AWS is using a NAT.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html

I have no idea about this.