Distributed development staff needing a common IP range

Question

I work on a development staff that is geographically distributed, mostly all throughout the state of CA, but several key members also must travel frequently.

We rely quite heavily on a 3rd party provider API for a great deal of our subsystems (can't get into who it is or what they do). The 3rd party however is quite stringent on network access and have no notion of a development sandbox. Access is restricted to 2, 3 IP numbers and that's about it. Once we account for our production servers, that leaves us with an IP or two to spare for our dev team--which is still problematic as people's home IP changes, people travel, we have more than 2 devs, etc.

Wide IP blocks are not permitted by the 3rd party. Nor will they allow dynamic DNS type services. There is no simple console to swap IPs on the fly either (e.g. if a dev's IP at home changes or they are on the road).

As none of us are deep network experts, I'm wondering what our viable options are?

• Are there such things as 3rd party hosts to VPNs? Generally I think of a VPN as a mechanism to gain access to a home office, but the notion would be a 3rd party VPN that we'd all connect to and we'd register this as an IP origin w/ our 3rd party.

• We've considered using Amazon EC2 to effectively host a dev environment for each dev and using that to connect. Amazon only gives you so many static IPs however (I believe 5?) so this would only be a stop gap solution until our team size out strips our IP count at Amazon.

Those were the only viable thoughts that I had, but again, I'm far from a networking guy. Tried searching for similar threads, but I'm not even sure I know the right vernacular to look around for.

Answer 1

I can think of two solutions-- one at layer 3 and one at layer 7.

I'd consider getting a hosted server somewhere w/ a static IP address and hosting something like OpenVPN there. You can deploy an OpenVPN configuration that causes any access to the API to be routed across the OpenVPN to the hosted server with the static IP, whereupon you can NAT it to that server's IP address.

Alternatively, you could run a layer 7 proxy on the hosted server (something like Squid-- I'm assuming your API is exposed via HTTP) and route requests from your developers through that proxy server.

Edit:

Using a layer 7 proxy means that you don't need any client software installed on for the developers, assuming their existing tools can handle having an HTTP proxy specified. You probably don't want all of their access being routed across that remote proxy, though, so you should use somnething like a proxy autoconfiguration file or local proxy servers to shunt only the appropriate requests for the API off to the hosted proxy. Some browsers don't support using SSL between the client and the proxy, so the developers' requests would be crossing the Internet unencrypted.

Using the layer 3 solution eliminates the need to configure developers' browsers with an HTTP proxy, but means that they'll need some kind of VPN client up and running. Their requests will be encrypted between the VPN server and their client computer, however that may be a completely moot point if the requests between the hosted VPN server and the API servers run in the clear.

Answer 2

It sounds like you need a NAT solution. You could create a VPN tunnel and then force the data to the API over NAT. This way they would all look like they were coming from the same IP address. The Setup would look something like this Developers ----- VPN ----- private subnet --- NAT --- External IP