Securing Microservices via IP Filters
IP filters can be set up both for services and management endpoints of the services.
IP Filters for Services
You can configure which incoming IP addresses can access the services.
The following rules apply:
-
IP filters for accessing services in the application-prod.yml configuration file apply for all services that are not configured by the users themselves. The default setting allows access from all IP addresses:
trusted.ipPattern: '.*'
-
IP filters for individual services in the corresponding <service>-prod.yml configuration files only apply for these services. IP filters for the application-prod.yml configuration file do not apply there.
-
As a general rule, access to the 'gateway' service must be permitted from all IP addresses. If IP filters are set up in the application-prod.yml configuration file, the gateway-prod.yml configuration file must allow all accesses:
trusted.ipPattern: '.*'
-
When yuuvis® RAD service-manager is installed, an IP filter for access to yuuvis® RAD core-service via the 'dms-sidecar' service is set up in the dms-prod.yml configuration file. IP filters for the application-prod.yml configuration file also do not apply here.
To configure an IP filter for the services, follow these steps
- Open application-prod.yml from the …\services\service_manager\config\ directory.
-
Assign the required IP addresses to the
trusted.ipPattern
parameter. -
IP filters for individual services are created in the same way via the <service>-prod.yml configuration file. These filters only apply there.
- Save the configuration file and restart yuuvis® RAD service-manager.
With a list of addresses, IP addresses must always be enclosed in parentheses. The separator between addresses is a pipe ('|').
Since this is a regular expression, periods in IP addresses should be masked with '\', while colons in IPv6 addresses do not need to be. To aid readability, masking can also be omitted, however.
It is possible, for example, to check that regular expressions are correct here: https://regex101.com/
Examples
Allowed access | Sample configuration |
---|---|
From all IP addresses | .* |
From specified addresses | (10\.10\.10\.10)|(10\.10\.10\.11)| ... (10\.10\.10\.1x) |
From address ranges | (10\.10.*)|(192\.168\.[0-9]{1.3}\.[0-9]{1.3})|(172\.[16-32]\.[0-9]{1.3}\.[0-9]{1.3}) |
If IP filters for the services are configured, the following addresses must typically be allowed:
- 127.0.0.1 and 0:0:0:0:0:0:0:1 (localhost representation in IPv4 and IPv6)
The microservices are installed with the IP address '127.0.0.1'. This address must be specified to ensure they are linked. If IP addresses have been changed in microservice configuration files, then these must also be allowed.
- Public IP addresses of all microservice installations
- Public IP addresses of all yuuvis® RAD server
- Public IP addresses of all Elasticsearch servers
IP Filters for Management Endpoints
You can also configure which incoming IP addresses are allowed to access the management endpoints info, health, env, loggers, and metrics. The default setting allows access from all IP addresses: management.trusted.ipPattern: '.*'
The configuration is done the same way as with the configuration of the IP filters for services in the application-prod.yml configuration file via the parameter management.trusted.ipPattern.
You configure access to the management endpoints for individual services via the relevant file ...\services\service-manager\config\<service>-prod.yml. These have priority over configurations made via application-prod.yml.
If management filters are configured, then yuuvis® RAD services-admin must allow the address.
Access to the management endpoints is only allowed if access to the services is also allowed.