Whitelist of IP for IBM Cloud Foundry Public (Bluemix)
IBM Cloud hosted one of the largest deployment of Cloud Foundry instance in the world. Personally I like it a lot for quick prototyping by focusing on developing the pushing the codes via IBM Cloud command line interface or DevOps toolchain.
It comes with a domain of *.mybluemix.net (great! I don’t need to buy a domain name). However it can be troublesome as most of customer wants to their own domain (*.mybluemix.net means nothing to my company..).
In my job, I got asked frequently how to secure my application that runs in IBM Cloud Foundry Public? We can leverage domain name and security services such as Cloudflare/Cloud Internet Service to address such requirement easily.
There are few major steps we need to setup, but it is easy:
- Get a domain name, for my case it will be “aseantec.info”. I bought a domain for $1.99 at GoDaddy.
2. Creating and using a custom domain.
3. Provision / subscribe a service in Cloudflare / Cloud Internet Service. Follow the instruction from its wizard to register your domain in Cloudflare / Cloud Internet Service. In this example I am using Cloudflare.
Make sure you enable the DNS to go through Cloudflare.
You may notice that I no longer using IP for A/CNAME records. IP address of IBM Cloud are constantly changing, therefore IBM provides a custom domain endpoint as below:
- US-SOUTH —
custom-domain.us-south.cf.cloud.ibm.com - US-EAST —
custom-domain.us-east.cf.cloud.ibm.com - EU-DE —
custom-domain.eu-de.cf.cloud.ibm.com - EU-GB —
custom-domain.eu-gb.cf.cloud.ibm.com - AU-SYD —
custom-domain.au-syd.cf.cloud.ibm.com
4. Update Name Servers in Domain Name provider, in this case, it will be Custom Name Servers in GoDaddy Domain Manager
5. Configure the Domain mapping in IBM Cloud Foundry Public App.
Upon provisioning, a *.mybluemix.net domain will be assigned based on application name. No public IP is exposed for this application, it depends on Server Name Indication to route the traffic to right Cloud Foundry container. In this case what we do here is, remove *.mybluemix.net domain and use our own custom domain.
In this case, the original domain “aseantec.mybluemix.net” will no longer available to be accessed anymore.
5. Whitelist IP at Cloudflare / Cloud Internet Service
Create a Firewall rule to only allow incoming from particular IP address.
And the last step is to review the firewall rule and you are done!
Now your IBM Cloud Foundry Public App is being protected and whitelist with Cloudflare, with combination of using custom domain.
If you try to access without whitelist, you will get an error message as below:
