1

There is new section in Bluemix Doc for the Secure Gateway Service: Creating IP table rules for a Bluemix app

Unfortunately I don't understand what I should do. E. g. the text says to make an API call in this form: PUT /v1/sgconfig/:<gateway_id>/destinations/:<endpoint_id>/ipTableRule That will never work, it should say something like curl -k --request PUT https://sgmanager.ng.bluemix.net/v1/sgconfig/...

Also, in the Secure Gateway Definition, under Advanced / Network Options, do I need to check the option for Restrict network access to cloud endpoint?

Could somebody please rework the text and even more importantly, add an example, please?

Kamaganahally Jaganatha
  • 347
  • 4
  • 14
Harald Uebele
  • 264
  • 1
  • 9

1 Answers1

2

If you want to enforce IP Table Rules, then yes, you would need to check the Restrict network access to cloud endpoint box. At that point you would add the rules you want enforced, such as: 192.0.0.1 9000 (single IP and port), 192.0.0.1-192.0.0.5 5000:5005 (range of IPs and range of ports), or any combination therein.

If you are creating your private destinations with cURL, you could use a command like:

curl "https://sgmanager.ng.bluemix.net/v1/sgconfig/<gateway_id>/destinations" \
-H "Authorization: Bearer <security_token>" \
-H "Content-type: application/json" \
-d '{"desc":"My Private Destination","ip":"1.1.1.1","port":8000,"private":true}' -k

Once your private destination is created, you can add IP table rules with commands like:

curl -X PUT "https://sgmanager.ng.bluemix.net/v1/sgconfig/<gateway_id>/destinations/<destination_id>/ipTableRule" \
-H "Authorization: Bearer <security_token>" \
-H "Content-type: application/json" \
-d '{"src":"192.0.0.1","spt":"9000"}' -k

and

curl -X PUT "https://sgmanager.ng.bluemix.net/v1/sgconfig/<gateway_id>/destinations/<destination_id>/ipTableRule" \
-H "Authorization: Bearer <security_token>" \
-H "Content-type: application/json" \
-d '{"src_range":"192.0.0.1-192.0.0.5","spt":"5000:5005"}' -k

Please note that the first command here is uses src to provide a single IP whereas the second uses src_range to provide a range of IPs.

Galen Keene
  • 303
  • 1
  • 10
  • Thanks for the instructions. But I want to limit access to a Bluemix application: only my Bluemix app XYZ should be able to connect to my on premise destination endpoint. I don't know the IP address of my Bluemix app and even if I knew it today, it could change tomorrow if I restart it. How can I configure this for a Bluemix application? – Harald Uebele Feb 09 '16 at 11:17
  • 1
    Your BlueMix application can call the Secure Gateway API whenever it starts up to dynamically add an IP Table Rule for itself. If your IP will be changing often and you don't want to have logic in place to remove previous IP table rules (which could be difficult since you won't necessarily know your previous IP), you could provide an application ID in the body when adding a rule (`app : `). If you provide an app ID, it will replace any other rule that is already using that ID. – Galen Keene Feb 12 '16 at 14:33
  • To clarify my previous comment, the body of the request from your BlueMix application could simply be `{"src":"","app":""}`. This would add an IP Table rule to the SG destination that should allow traffic from that IP from any port. If you provide another rule with the same app ID, it would replace the previously associated rule. – Galen Keene Feb 12 '16 at 23:54