In complex environments where different teams run their own Google Cloud projects, it is challenging to make sure that a service in a project can be only accessed by specific applications running on other Google Cloud Projects. Complicated VPC peering and internal load balancing schemes are oftentimes unavoidable and sometimes it is even not possible to achieve a cross-project communication without exposing services to public Internet where multiple regions are involved.

We have recently came across an interesting challenge where a team wanted to expose their internal API as a Cloud Function and wanted to make sure that only authorized application running on neighboring teams’ GCP projects could invoke this function. …


Let us say that you do not want to www. subdomain for your website and want to have a 301 redirect to non-www version. There are millions of way of doing that, but luckily you are on AWS, you serve your domain via Route53. You can then keep your application configuration clean from this redirect logic via native AWS tools: You can leverage S3 and Cloudfront to accomplish this goal.

Following the infrastructure as code principle, I do not paste here complicated steps or screenshots on AWS console, but here I share a Cloudformation template that will set up everything for…


Update 02/18/2018: I’ve upgraded the Javascript file to ES6 and promises, updated the Cloudformation template to YAML for better readability, and improved the script to handle Cloudformation template deletion.

If you’ve ever worked in a corporate environment where the infrastructure is deployed on AWS, you should have dealt with resources protected behind VPC and sophisticated security groups. Normally we want only specific IP addresses to be able to access to our ELB to reduce the attack surface and block access from public Internet.

Many times it is a good idea to put a Cloudfront distribution in front of your ELB and exposing only the Cloudfront distribution to public Internet. In a scenario, we wanted to apply this principle in order to leverage different caching rules, apply WAF rules for more effective security and improve the performance for clients from far locations. However it was not easy to block access to ELB except Cloudfront because it is impossible to know the IP address space of Cloudfront. So how to set up a security group to allow incoming traffic only from Cloudfront? …

About

Çağatay Gürtürk

Software Development Manager @ebay, and Founder of @instelacom. Author of Building Serverless Architectures and AWS Certified Solutions Architect.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store