AWS

The default Porter-managed Kubernetes cluster on AWS uses a Network Load Balancer (NLB) which forwards traffic to an on-cluster Nginx Ingress Controller. Whilst this provides the best performance, some users have a requirement to only provide access to the applications deployed on the Porter cluster from a set of allow-listed IP ranges. As an enterprise feature, Porter supports switching out the default NLB for an Application Load Balancer (ALB). This allows the user to allowlist up to 20 CIDR addresses using an AWS Security Group.

Requirements

  • A Porter-managed Kubernetes cluster
  • Access to your DNS provider. For this example, we will use CloudFlare, but Route53 is also supported.
  • A domain name which can be wildcarded. For this example, we will use stefan-2.porter.run
  • The list of CIDR addresses to whitelist. These must be full CIDR ranges, such as 10.2.3.4/32

Contact Porter

This process isn’t currently available through the dashboard. Until then, you must arrange a maintenance window with Porter. If you have a support agreement with Porter, reach out to your account representative. If not, drop us an email to support@porter.run using the below format:

Project Name:
Cluster Name:
Wildcard Domain:
Allowlisted IP ranges:

I acknowledge that this will cause minor downtime to our cluster during maintenance, and that my applications will not be publically routable momentarily.
  • Project Name can be found in the top-left corner of your Porter dashboard.
  • Cluster Name can be found in the Infra Settings or Infrastructure tab of your Porter Dashboard.
  • Wildcard Domain is the domain that you will use for protecting all applications. If you provide stefan-2.porter.run, both stefan-2.porter.run and all subdomains of stefan-2.porter.run will be added, such as dev.stefan-2.porter.run and testing.stefan-2.porter.run.
  • Allowlisted IP ranges should be a comma-separate list of valid CIDR addresses including netmasks, for example 10.123.3.1/32,10.123.3.19/32,10.123.4.1/32.

A Porter engineer will then contact you to arrange a timeslot in order to carry out the maintenance, which involves swapping out the NLB for an ALB.

DNS Validation

Skip this step if you are using Route53.

When your ALB is up and running, you will have to ensure that your new AWS Certificate Manager (ACM) Certificate is validated. AWS does this by creating a CNAME record which must resolve to an automatically generated value.

AWS

  1. In your AWS console, navigate to the region that your cluster was deployed in. You can find this from your Porter dashboard in the Infra Settings or Infrastructure section, in the Configuration tab.

  2. After selecting the correct region, search for “AWS Certificate Manager” in the AWS Console search bar.

  3. Select List Certificates from the bar on the left.

  4. Find the domain name which matches the domain that you provided to Porter, then click on the Certificate ID.

  5. The status for this certificate should be Pending validation. Pending Certificate

  6. Scroll down to Domains.

  7. Take note of the CNAME name and CNAME value. CNAME Name and Value

    • You may see multiple domains here, all with the same CNAME name and CNAME value. No need to worry about these.

  8. Go to your DNS provider. This will be CloudFlare in our case.

CloudFlare

  1. Select DNS then Records.

  2. Create a new record - Select CNAME for type.

    • Enter the value that you pulled from AWS for CNAME name in the Name field in CloudFlare.
    • Enter the value that you pulled from AWS for CNAME value in the Target field in CloudFlare.
    • Ensure Proxy status is disabled, and is in DNS only mode.
    • Set TTL to Auto.
    • Enter Porter-managed ACM Certificate Verification for YOUR_DOMAIN in the Comment field. This is not required, but is strongly recommended. Completed DNS Validation Record

  3. Return to the AWS console.

AWS

  1. Go to the ACM Certificate and refresh the page.
  2. If the status is still Pending Validation, wait 5 minutes then refresh again. You should now see that the status is Issued. Issued Certificate
  3. Your certificate is now issued, and can be used by your ALB.

Creating a CNAME for your wildcard domain

As a reminder, we are using stefan-2.porter.run as the address that we provided to Porter. All of our protected applications will be available at *.stefan-2.porter.run for example myapp.stefan-2.porter.run or whoami.stefan-2.porter.run.

  1. Go to your DNS provider. We will be using CloudFlare, but the settings should be similar in any DNS Provider. 1 Select DNS then Records.
  2. Create a new record.
    • Select CNAME for type.
    • Enter the wildcarded domain in the Name field i.e. *.stefan-2.porter.run.
    • Enter the ALB domain name in Target field. This will be provided to you by the Porter engineer.
    • Ensure Proxy status is disabled, and is in DNS only mode.
    • Set TTL to Auto. Completed DNS Wildcard Record
  3. You can now use this as a custom domain in Porter for you applications.

Adding a Protected Custom Domains to your Application

  1. Back in your Porter Dashboard, select the application that you would like to protect.
  2. Select Main tab, and scroll to Network Settings.
  3. Check Expose to external traffic if not already selected.
  4. Check Configure Custom Domain.
  5. Enter the FQDN for the application i.e. whoami.stefan-2.porter.run.
  6. Ensure that Enabled TLS and automatically create certificates is UNCHECKED`. Correctly Configured Application
  7. Done! You can now access the application through the domain at the top of your application screen.

Notes

  • You will be able to see the CIDR ranges that you have allow-listed in your AWS Console Security Groups. DO NOT update these from the AWS Console as they will be automatically reconciled to the values that were provided to Porter. This could cause security issues in your architecture. Always update the values through Porter to ensure maximum security.