Wednesday, January 6, 2021

Control regional access to you service on OpenShift running on AWS

In the last blog we talked about how we can find out the IP address of the clients accessing our service running on OpenShift, and how we can block them.


Once you have our content created as a service running on OpenShift on AWS, its delivery to the end customers becomes a matter of utmost importance. This is where AWS CloudFront can help. CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. 


CloudFront not only delivers both static and dynamic content using a single distribution. It can also control users in selected countries from accessing our content by providing either a whitelist (countries where they can access your content) or a blacklist (countries where they cannot).


In this blog we will look at how to create an AWS CloudFront Distribution, and how we can restrict countries from accessing our Service running on OpenShift. 


For this blog I have deployed OpenShift on AWS using the IPI (Installer Provisioned Installer), and for the service I created a blog application, which is designed to show the various features of OpenShift. The blog application is implemented using Python and Django.


To learn more about installing the Blog application from the source, please visit https://learn.openshift.com/introduction/deploying-python/ 


As I created the application using the web console, a Route was automatically created for the application and it will be exposed outside of the cluster. The URL to access the blog application is as: http://blog-django-py-myproject.apps.mytest.ocp4-test-mshetty.com


Let's look at how we can create an AWS CloudFront Distribution, and use it to blacklist certain countries from accessing our blog service.


  1. We start by creating a AWS CloudFront Distribution by going to CloudFront from the AWS console.





  1. Next, create a new Distribution by clicking on the “Create Distribution” button.


  1. In the “Select a delivery method for your content.” select the “Get Started” button under the Web distribution.


  1. When you click on the Origin Domain Name field you’ll see the S3 buckets used for the registry, and all the Elastic Load Balancers, ignore and that and enter “blog-django-py-myproject.apps.mytest.ocp4-test-mshetty.com”. I left all the other values in the form as default for this post, and clicked on the “Create Distribution” at the bottom of the page. 





  1. The CloudFront Distribution is created when the State is Enabled, and the Status changes from “In Progress” to “Deployed”.





  1. We can now use the CloudFront Domain name “d2ol5va9tfpqgt.cloudfront.net” to access our service by entering it into the URL of the browser.


  1. Now to blacklist a country click on the “Distribution Settings” button, and then go to the “Restrictions” tab and click on Edit.




  1. Next, we can test this by connecting to a VPN server in that country or with LocaBrowser, by trying to access the service using the CloudFront domain name.




Using the CloudFront domain name is fine, but wouldn’t it be nice to use your own domain name (for example, www.example.com) in the files’ URLs instead. Check out the link for information on using alternate domain names.


AWS WAF for additional rules and resources:


If you want to apply the country blacklist to your other resources on AWS, or you want to apply additional security rules to your service running on OpenShift, you could use AWS WAF to create the rules, and apply them to your CloudFront distributions or other Regional resources (Application Load Balancer, API Gateway, AWS AppSync).


As you see, I have the rule that blocks countries along with three additional rules, that make up the AWS WAF Web ACL called myACL. The Web ACL is then applied to the my CloudFront Distribution resource type.



You see below that the AWS WAF Web ACL is associated with the CloudFront resource used for our OpenShift service.



There we go! It is really that simple to deliver and block access from certain regions to services running on OpenShift on AWS.





No comments: