This is the 5th day of my participation in the August More Text Challenge

The background,

Recently, API interface exposure in a hybrid cloud architecture encountered some twists and turns due to various reasons. Please note.

Customers for financial enterprises have high SLA requirements and data security, limited to considering the high availability of services. Hybrid cloud deployment is adopted. The traffic entrance is Ali Financial Cloud, and security devices such as WAF/CDN/ high security IP can be added to the front end. ECS within the group are deployed in different zones of the same Region to ensure availability across zones. In consideration of data security, data is sustained on IDC side. Aliyun and IDC are deployed on the cloud and connected with Cisco devices on IDC side through Ipsec ××× (in consideration of stability, special line communication has been implemented at present). The back-end app-server and DB-server are deployed in IDC. For details, see the following figure:

1.1 Customer Requirements:

The client has many services under the same domain name and port, so it can use the Nginx reverse proxy back-end APP mode and HTTPS mode to put the certificate on the front-end Web-server side, or use the SLB seven-layer mode to place the certificate on the SLB. However, in this deployment, a back-end APP uses HTTPS and has a certificate. The interface needs to be exposed to the public network.

1.2 Pain points:

After testing, the client deployed the app-server in IDC in HTTPS mode. Nginx uses HTTP mode to reverse proxy 502 certificate. As a result, the reverse proxy cannot succeed. However, the financial cloud Web-server also needs the certificate of app-Server. The customer feedback that other vendors cannot obtain the certificate in a short period of time, so they need to ignore the certificate to solve the problem.

1.3 Architecture Analysis:

At this time, the modification of THE HTTP mode in IDC could not be carried out. Since the certificate could not be obtained, the reverse process could not be carried out in HTTPS mode on the web-server side of financial cloud. For a time, there was an impasse. Then why not use the server with public IP on THE IDC side for proxy or firewall DNAT to meet the requirements? The customer feedback that there is no IP planning on the IDC side, and we also need to assist in the leakage test interface from the financial cloud.

1.4 Solution:

Since Nginx reverse generation is not available and SLB backend cannot directly add IDC side APP server, then use web-server to use iptables for port forwarding, configure DNAT and SNAT to directly throw traffic over, and then start testing implementation.

Two, technical implementation

As the specific operation and deployment involves related operations of system/network/middleware/ali Cloud products, the screenshots are not the same as those listed here, and the implementation steps and key points for attention are simply listed.

2.1 architecture diagram

2.2 Network Communication

The port and IP address of the financial cloud must correspond to the cisco firewall direction on the IDC side to achieve network communication. The route to the IDC side must be configured on the Ari cloud so that the Web-server and app-server can communicate with each other on the Intranet.

2.3 Domain Name and SLB

Because defense devices such as WAF or high defense IP address are not added to the front end of the test domain name, record domain name resolution A and resolve it to the PUBLIC address of the SLB. The SLB is configured with A virtual Server group and A Web-server is added to the group. In this case, the listening port is A Dnat port.

2.4 IPTABLES forward

Configure response rules based on the SLB port forwarding configuration, for example:

A PREROUTING -d 10.69.xx.xx/32 -p TCP -m TCP --dport 8080 -j DNAT --to-destination 172.19.xx.xx:8080 -a POSTROUTING -d 172.19.xx.xx/32 -p TCP -m TCP --dport 8080 -j MASQUERADECopy the code

After the configuration, you can use the Postman test interface from the public network.

Third, to reflect on

Due to limitations and various business reasons, specific implementation plans are listed here for future reference:

  • If possible, you can directly expose the reverse generation interface on the public network server on the IDC side
  • Dnat maps service ports on Cisco devices on the IDC side to expose interfaces
  • In Ali financial cloud if there is a certificate can use HTTPS reverse generation exposure interface
  • Change the back-end app-server to HTTP, so that the aliyun side can use HTTP to reverse generation and expose interfaces
  • On the Web-server, iptables forwarding is used to expose interfaces in HTTPS mode.