Securing Microservices via IP Filters
You can configure which incoming IP addresses can access the services by setting up an IP filter.
The following rules apply:
-
IP filters in the application-prod.yml configuration file apply for all services that are not configured by the user himself. The default setting allows access from all IP addresses:
trusted.ipPattern: '.*' -
IP filters for individual services in the corresponding <service>-prod.yml configuration files only apply for these services. IP filters for the application-prod.yml configuration file do not apply there.
-
As a general rule, access to the 'gateway' service must be permitted from all IP addresses. If IP filters are set up in the application-prod.yml configuration file, the gateway-prod.yml configuration file must allow all accesses:
trusted.ipPattern: '.*' -
When yuuvis® RAD service-manager is installed, an IP filter for access to yuuvis® RAD core-service via the 'dms-sidecar' service is set up in the dms-prod.yml configuration file. IP filters for the application-prod.yml configuration file also do not apply here.
To configure an IP filter for the services, follow these steps
- Open application-prod.yml from the …\services\service_manager\config\ directory.
-
Assign the required IP addresses to the
trusted.ipPatternparameter. -
IP filters for individual services are created in the same way via the <service>-prod.yml configuration file. These filters only apply there.
- Save the configuration file and restart yuuvis® RAD service-manager.
With a list of addresses, IP addresses must always be enclosed in parentheses. The separator between addresses is a pipe ('|').
Since this is a regular expression, periods in IP addresses should be masked with '\', while colons in IPv6 addresses do not need to be. To aid readability, masking can also be omitted, however.
It is possible, for example, to check that regular expressions are correct here: https://regex101.com/
Examples
| Allowed access | Sample configuration |
|---|---|
| From all IP addresses | .* |
| From specified addresses | (10\.10\.10\.10)|(10\.10\.10\.11)| ... (10\.10\.10\.1x) |
| From address ranges | (10\.10.*)|(192\.168\.[0-9]{1.3}\.[0-9]{1.3})|(172\.[16-32]\.[0-9]{1.3}\.[0-9]{1.3}) |
If IP filters for the services are configured, the following addresses must typically be allowed:
- 127.0.0.1 and 0:0:0:0:0:0:0:1 (localhost representation in IPv4 and IPv6)
The microservices are installed with the IP address '127.0.0.1'. This address must be specified to ensure they are linked. If IP addresses have been changed in microservice configuration files, then these must also be allowed.
- Public IP addresses of all microservice installations
- Public IP addresses of all yuuvis® RAD server
- Public IP addresses of all Elasticsearch servers
on the right.
areas. Use the toolbar to show all hidden areas at once:
