IP-based access control
If you have a service running in the Platon PaaS that acceses an external service, you may need to update the firewall settings on the external service to allow access.
The source IP addresses for services running in Kubernetes will be the IP addresses of the NAT Gateways that the Kubernetes worker nodes use.
The IP addresses of the PaaS Kubernetes NAT GWs are used by all services running in the Platon PaaS. This means that you allow all services in the Platon PaaS to connect to your service when you allow access from these IP addresses.
Depending on the data your service allows access to, it may therefore be necessary to also add other access control mechanisms. (E.g. HTTP Basic authentication.)
List of IP addresses
We maintain a list of these IP addresses in three locations:
-
The PaaS 2.0 AWS library group. This library group can be used to enable access to services running in Nova.
-
The PaaS 2.0 AWS (Hosts) group in Firewallbuilder. This can be used for hosts running on infrastructure where the router ACLs are managed by Firewallbuilder.
-
The
paas2_workersHiera data in Puppet. This can be used to manage iptables or other access control lists on hosts managed by Puppet.