Securing Microservices via IP Filters

yuuvis® RAD 10.x »

IP filters can be set up both for services and management endpoints of the services.

IP Filters for Services

You can configure which incoming IP addresses can access the services.

The following rules apply:

  • IP filters for accessing services in the application-prod.yml configuration file apply for all services that are not configured by the users themselves.

  • IP filters for individual services in the corresponding <service>-prod.yml configuration files only apply for these services. IP filters for the application-prod.yml configuration file do not apply there.

  • As a general rule, access to the 'gateway' service must be permitted from all IP addresses. If IP filters are set up in the application-prod.yml configuration file, the gateway-prod.yml configuration file must allow all accesses: trusted.ipPattern: '.*' This is the default setting for new installations.

  • When installing yuuvis® RAD service-manager, an IP filter is specified for access to all services and entered in the application-prod.yml configuration file.

  • It may be necessary to allow the corresponding IP address access to the 'admin' service in the admin-prod.yml configuration file for the call by an administrator.

To configure an IP filter for the services, follow these steps

  1. Open application-prod.yml from the …\services\service_manager\config\ directory.
  2. Assign the required IP addresses to the trusted.ipPattern parameter.

  3. IP filters for individual services are created in the same way via the <service>-prod.yml configuration file. These filters only apply there.

  4. Save the configuration file and restart yuuvis® RAD service-manager.

With a list of addresses, IP addresses must always be enclosed in parentheses. The separator between addresses is a pipe ('|').

Since this is a regular expression, periods in IP addresses should be masked with '\', while colons in IPv6 addresses do not need to be. To aid readability, masking can also be omitted, however.

It is possible, for example, to check that regular expressions are correct here: https://regex101.com/

Examples

Allowed access Sample configuration
From all IP addresses .*
From specified addresses (10\.10\.10\.10)|(10\.10\.10\.11)| ... (10\.10\.10\.1x)
From address ranges (10\.10.*)|(192\.168\.[0-9]{1.3}\.[0-9]{1.3})|(172\.[16-32]\.[0-9]{1.3}\.[0-9]{1.3})

If IP filters for the services are configured, the following addresses must typically be allowed:

  • 127.0.0.1 and 0:0:0:0:0:0:0:1 (localhost representation in IPv4 and IPv6)

    The microservices are installed with the IP address '127.0.0.1'. This address must be specified to ensure they are linked. If IP addresses have been changed in microservice configuration files, then these must also be allowed.

  • Public IP addresses of all microservice installations
  • Public IP addresses of all yuuvis® RAD server
  • Public IP addresses of all Elasticsearch servers

IP Filters for Management Endpoints

You can also configure which incoming IP addresses are allowed to access the management endpoints info, health, env, loggers, and metrics. The default setting allows access from all IP addresses: management.trusted.ipPattern: '.*'

The configuration is done the same way as with the configuration of the IP filters for services in the application-prod.yml configuration file via the parameter management.trusted.ipPattern.

You configure access to the management endpoints for individual services via the relevant file ...\services\service-manager\config\<service>-prod.yml. These have priority over configurations made via application-prod.yml.

If management filters are configured, then yuuvis® RAD services-admin must allow the address.

Access to the management endpoints is only allowed if access to the services is also allowed.