3

I have setup a Amazon RDS instance that i would like to only allow my Bluemix app to access it

At the moment i have setup my Ec2 security group to allow all mysql traffic on port 3306, but allow all IPs.

My understanding so far is that a Bluemix app has a dynamic instance IP and changes each time after staging.

How can i find a static IP of my Bluemix app? I have read that using either the cloud integration or secure gateway service can help, but unsure how to do this with Amazon RDS instance.

Amit Kumar Gupta
  • 17,184
  • 7
  • 46
  • 64
Korush Mahdavieh
  • 541
  • 5
  • 15
  • Is there a reason not to use the route name itself, e.g. myapp.mybluemix.net? – nitind Oct 31 '15 at 18:11
  • 1
    Unfortunately Amazon ec2 security groups require a IP address for all inbound and outbound traffic – Korush Mahdavieh Oct 31 '15 at 18:12
  • You might need to put some automation in place so that when the Bluemix app IP changes, you programmatically modify the RDS inbound DB security group to update the allowable source IP (or range). – jarmod Oct 31 '15 at 19:11
  • 1
    Bluemix is based on cloudfoundry, which uses linux container technology to run multiple apps from multiple tenants on a single VM. The upshot being that even if you could restrict the security group to a single IP, you're still exposed to malicious apps that may be colocated on the same container execution agent as your app. Another wrinkle is that you might have multiple instances of your app on multiple different agents. Also the IP of your app can change over time, e.g. if it's migrated to another agent due to a rolling upgrade of the agents. Question is, what is your actual security goal? – Amit Kumar Gupta Oct 31 '15 at 23:31
  • @AmitKumarGupta Thankyou for your insight, I think my main security goal at the moment is to ensure that my RDS database is not publicly availabile, i am already connecting to the db by ssl, so thought this would be the next measure to ensure security of my data and app – Korush Mahdavieh Nov 01 '15 at 10:13

3 Answers3

0

Please see my answer to a similar problem:
Dynamically changing Security group rules

To summarize, place a service either in AWS or near your Bluemix application. Create IAM role to provide access for your service to change security group rules. You can see documentation on AWS IAM. Use the security credentials (access_key and secretkey, region) in your service to access AWS APIs. So, your service will periodically check whether the Bluemix app's IP changed and will update the security group if it has changed.

This can be used if you don't find any direct solution.

Community
  • 1
  • 1
phoenix
  • 3,069
  • 3
  • 22
  • 29
0

The only way is to create an IBM container to get a static, public IP assigned. Image your app, load it into the container, and then mount. It looks like IBM is limiting 2 IP containers per account - so use carefully.

bluemix

Community
  • 1
  • 1
Justin Saadein
  • 128
  • 12
0

Korush,

Have you explored the Statica service that routes your traffic via a static IP?

Manglu
  • 10,744
  • 12
  • 44
  • 57
  • Statica is an outbound static ip service. It reroutes outbound requests through a specific ip address. It doesn't affect the Public facing IP (which is still dynamic) – aaaidan Jan 25 '17 at 15:36